From 1edc8c249da009e8e99ee4d0f6dce9449ab03c41 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 19 Jul 2015 22:51:39 +0200 Subject: 2 lass.desktop-base: remove german keyboard layout --- 2configs/lass/desktop-base.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/2configs/lass/desktop-base.nix b/2configs/lass/desktop-base.nix index ee7a94bc9..9b98e4a8b 100644 --- a/2configs/lass/desktop-base.nix +++ b/2configs/lass/desktop-base.nix @@ -55,11 +55,9 @@ in { displayManager.auto.enable = true; displayManager.auto.user = mainUser.name; - layout = "us,de"; + layout = "us"; xkbModel = "evdev"; - xkbVariant = "altgr-intl,nodeadkeys"; - xkbOptions = "grp:caps_toggle"; - + xkbVariant = "altgr-intl"; }; } -- cgit v1.3.1 From 2eb1002f7a47b09b64ae1985642168e9733c92e7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 18:57:58 +0200 Subject: 1&2 lass: move userconfig to base.nix --- 1systems/lass/mors.nix | 15 --------------- 1systems/lass/uriel.nix | 33 ++++++++++----------------------- 2configs/lass/base.nix | 26 ++++++++++++++++++++++++-- 3 files changed, 34 insertions(+), 40 deletions(-) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 940dc4fdb..7e70be8c4 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -168,21 +168,6 @@ ''; }; - users.extraUsers = { - #main user - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - extraGroups = [ "wheel" "audio" ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index 25745d055..a5a0833dc 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -1,5 +1,6 @@ { config, pkgs, ... }: +with builtins; { imports = [ ../../2configs/lass/desktop-base.nix @@ -30,6 +31,15 @@ enable = true; }; } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/uriel.ssh.pub + ]; + }; + }; + } ]; networking.hostName = "uriel"; @@ -87,29 +97,6 @@ ''; }; - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - description = "lassulus"; - extraGroups = [ "wheel" "audio" ]; - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 5e5b8a7b1..26e6cae51 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -3,14 +3,36 @@ with lib; { imports = [ - ./sshkeys.nix ../../3modules/lass/iptables.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) (import /root/src/secrets/hashedPasswords.nix); } - + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + }; + } ]; nix.useChroot = true; -- cgit v1.3.1 From 69a4c44f08d6e2c6e9a3b9a797fc535d1333833b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 19:02:31 +0200 Subject: 2 lass: remove gitolite from base.nix --- 2configs/lass/base.nix | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 26e6cae51..a0d3c3ad4 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -99,11 +99,11 @@ with lib; "sendmail" ]; - services.gitolite = { - enable = true; - dataDir = "/home/gitolite"; - adminPubkey = config.sshKeys.lass.pub; - }; + #services.gitolite = { + # enable = true; + # dataDir = "/home/gitolite"; + # adminPubkey = config.sshKeys.lass.pub; + #}; services.openssh = { enable = true; @@ -132,27 +132,4 @@ with lib; }; }; - #Networking.firewall = { - # enable = true; - - # allowedTCPPorts = [ - # 22 - # ]; - - # extraCommands = '' - # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # iptables -A INPUT -j ACCEPT -i lo - # #http://serverfault.com/questions/84963/why-not-block-icmp - # iptables -A INPUT -j ACCEPT -p icmp - - # #TODO: fix Retiolum firewall - # #iptables -N RETIOLUM - # #iptables -A INPUT -j RETIOLUM -i retiolum - # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset - # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable - # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable - # #iptables -A RETIOLUM -j REJECT - # ''; - #}; } -- cgit v1.3.1 From bf4f2e31d3b5872fedc363325c90897f6826402f Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 19:04:40 +0200 Subject: lass: add cloudkrebs system --- 0make/lass/cloudkrebs.makefile | 4 ++++ 1systems/lass/cloudkrebs.nix | 43 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 0make/lass/cloudkrebs.makefile create mode 100644 1systems/lass/cloudkrebs.nix diff --git a/0make/lass/cloudkrebs.makefile b/0make/lass/cloudkrebs.makefile new file mode 100644 index 000000000..baf7660b4 --- /dev/null +++ b/0make/lass/cloudkrebs.makefile @@ -0,0 +1,4 @@ +deploy_host := root@cloudkrebs +nixpkgs_url := https://github.com/Lassulus/nixpkgs +nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b +secrets_dir := /home/lass/secrets/cloudkrebs diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix new file mode 100644 index 000000000..dc27affe7 --- /dev/null +++ b/1systems/lass/cloudkrebs.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../2configs/tv/CAC-Developer-2.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/lass/base.nix + { + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + } + { + imports = [ ../../3modules/tv/retiolum.nix ]; + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "gum" + "pigstarter" + ]; + }; + } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + }; + } + ]; + + networking.hostName = "cloudkrebs"; + +} -- cgit v1.3.1 From a1ea09404f717493cac5bd320093a7240dac32fd Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 21 Jul 2015 19:14:15 +0200 Subject: 2 lass.git-repos: change irc-server to cd --- 2configs/lass/git-repos.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix index c0c305b85..b4f446aef 100644 --- a/2configs/lass/git-repos.nix +++ b/2configs/lass/git-repos.nix @@ -39,7 +39,7 @@ let post-receive = git.irc-announce { nick = config.networking.hostName; # TODO make this the default channel = "#retiolum"; - server = "ire.retiolum"; + server = "cd.retiolum"; }; }; }; @@ -63,7 +63,7 @@ let post-receive = git.irc-announce { nick = config.networking.hostName; # TODO make this the default channel = "#retiolum"; - server = "ire.retiolum"; + server = "cd.retiolum"; }; }; public = true; -- cgit v1.3.1 From d94b2132d54a7b38fa307bb1ad5c0ddf9812f54e Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:11:56 +0200 Subject: 1&2 lass: move exim/retiolum to retiolum.nix --- 1systems/lass/cloudkrebs.nix | 13 +------------ 1systems/lass/mors.nix | 14 +------------- 1systems/lass/uriel.nix | 14 +------------- 2configs/lass/retiolum.nix | 29 +++++++++++++++++++++++++++++ 4 files changed, 32 insertions(+), 38 deletions(-) create mode 100644 2configs/lass/retiolum.nix diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index dc27affe7..53e23dbee 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -5,6 +5,7 @@ ../../2configs/tv/CAC-Developer-2.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/lass/base.nix + ../../2configs/lass/retiolum.nix { networking.interfaces.enp2s1.ip4 = [ { @@ -18,18 +19,6 @@ ]; } - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } { imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 7e70be8c4..dacf7668e 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -20,19 +20,7 @@ ../../2configs/lass/chromium-patched.nix ../../2configs/lass/git-repos.nix ../../2configs/tv/synaptics.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } + ../../2configs/lass/retiolum.nix { imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index a5a0833dc..7a5da23e1 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -12,19 +12,7 @@ with builtins; ../../2configs/lass/bird.nix ../../2configs/lass/git-repos.nix ../../2configs/lass/chromium-patched.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } + ../../2configs/lass/retiolum.nix { imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { diff --git a/2configs/lass/retiolum.nix b/2configs/lass/retiolum.nix new file mode 100644 index 000000000..d1389ad2a --- /dev/null +++ b/2configs/lass/retiolum.nix @@ -0,0 +1,29 @@ +{ ... }: + +{ + imports = [ + ../../3modules/lass/iptables.nix + ../../3modules/tv/retiolum.nix + ../../2configs/tv/exim-retiolum.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + tv.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "cloudkrebs" + "pigstarter" + ]; + }; +} -- cgit v1.3.1 From 47f68443a39d8492b4bd056de8e35cfef2027f0c Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:17:40 +0200 Subject: 1&2 lass: move vim.nix import to base.nix --- 1systems/lass/mors.nix | 1 - 1systems/lass/uriel.nix | 1 - 2configs/lass/base.nix | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index dacf7668e..300738089 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -8,7 +8,6 @@ ../../2configs/lass/browsers.nix ../../2configs/lass/games.nix ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix ../../2configs/lass/virtualbox.nix ../../2configs/lass/elster.nix ../../2configs/lass/urxvt.nix diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index 7a5da23e1..a6f5a82d6 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -7,7 +7,6 @@ with builtins; ../../2configs/lass/browsers.nix ../../2configs/lass/games.nix ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix ../../2configs/lass/urxvt.nix ../../2configs/lass/bird.nix ../../2configs/lass/git-repos.nix diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index a0d3c3ad4..35631ffef 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -4,6 +4,7 @@ with lib; { imports = [ ../../3modules/lass/iptables.nix + ../../2configs/lass/vim.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) -- cgit v1.3.1 From ab9a4dac127f378471126a72c7dc36a5ae7c29d6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:18:45 +0200 Subject: 3 lass.iptables: fix precedence sort order --- 3modules/lass/iptables.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index c97b9f730..8c6ad3fa1 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -106,7 +106,7 @@ let buildChain = tn: cn: let - sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; in #TODO: double check should be unneccessary, refactor! -- cgit v1.3.1 From 5913192e74212e3398b126d50030cfd60333c295 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:19:24 +0200 Subject: 2 lass.base: use precedence in iptables config --- 2configs/lass/base.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 35631ffef..b24e6a9a4 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -125,10 +125,10 @@ with lib; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } ]; }; }; -- cgit v1.3.1 From 118b74fdb21d348c82b4bdc8ba88e5f39afe2ea7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:19:46 +0200 Subject: 2 lass.base: add nmap to defaultPackages --- 2configs/lass/base.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index b24e6a9a4..494cafa95 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -53,6 +53,8 @@ with lib; ''; environment.systemPackages = with pkgs; [ + nmap + git most rxvt_unicode.terminfo -- cgit v1.3.1 From b590d9e21d8c99a91fd419c3e0bea949a9ac6849 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 02:20:44 +0200 Subject: 1 lass.cloudkrebs: move config to fastpoke-pages --- 1systems/lass/cloudkrebs.nix | 1 + 2configs/lass/fastpoke-pages.nix | 103 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 2configs/lass/fastpoke-pages.nix diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index 53e23dbee..8b3e41584 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -6,6 +6,7 @@ ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/lass/base.nix ../../2configs/lass/retiolum.nix + ../../2configs/lass/fastpoke-pages.nix { networking.interfaces.enp2s1.ip4 = [ { diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix new file mode 100644 index 000000000..2fd9a863a --- /dev/null +++ b/2configs/lass/fastpoke-pages.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ + ../../3modules/tv/nginx.nix + ../../3modules/lass/iptables.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + ]; + }; + }; + + #createStaticPage = domain: + # { + # irc.nginx.servers."${domain}" = { + # server-names = [ + # "${domain}" + # "www.${domain}" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/${domain}; + # '') + # ]; + # }; + # networking.extraHosts = '' + # 10.243.206.102 ${domain} + # ''; + # }; + + #map createStaticPage [ + # "habsys.de" + # "pixelpocket.de" + # "karlaskop.de" + # "ubikmedia.de" + # "apanowicz.de" + # "aidsballs.de" + #]; + + tv.nginx = { + enable = true; + servers = { + + "habsys.de" = { + server-names = [ + "habsys.de" + "www.habsys.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/habsys.de; + '') + ]; + }; + + "karlaskop.de" = { + server-names = [ + "karlaskop.de" + "www.karlaskop.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/karlaskop.de; + '') + ]; + }; + + "pixelpocket.de" = { + server-names = [ + "pixelpocket.de" + "www.karlaskop.de" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/karlaskop.de; + '') + ]; + }; + + }; + }; + + networking.extraHosts = '' + 10.243.206.102 habsys.de karlaskop.de pixelpocket.de ubikmedia.de apanowicz.de + 10.243.206.102 aidsballs.de + ''; + + #services.postgresql = { + # enable = true; + #}; + + #config.services.vsftpd = { + # enable = true; + # userlistEnable = true; + # userlistFile = pkgs.writeFile "vsftpd-userlist" '' + # ''; + #}; +} -- cgit v1.3.1 From 4f131c40c88ab131e07e294cd1ddfa19b2f26d26 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 13:14:32 +0200 Subject: 1 lass.cloudkrebs: add identity --- 1systems/lass/cloudkrebs.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index 8b3e41584..57b191020 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -7,6 +7,10 @@ ../../2configs/lass/base.nix ../../2configs/lass/retiolum.nix ../../2configs/lass/fastpoke-pages.nix + ../../2configs/lass/identity.nix + { + tv.identity.self = config.tv.identity.hosts.cloudkrebs; + } { networking.interfaces.enp2s1.ip4 = [ { -- cgit v1.3.1 From 629f621918589d6e2efa70d360e4c8bad61f5c4d Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 13:15:38 +0200 Subject: 3 tv.identity: add cloudkrebs domains --- 3modules/tv/identity.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/3modules/tv/identity.nix b/3modules/tv/identity.nix index 584b27165..9a83908a6 100644 --- a/3modules/tv/identity.nix +++ b/3modules/tv/identity.nix @@ -55,6 +55,12 @@ let retiolum = "hosts"; de.viljetic = "regfish"; de.krebsco = "ovh"; + de.habsys = "hosts"; + de.pixelpocket = "hosts"; + de.karlaskop = "hosts"; + de.ubikmedia = "hosts"; + de.apanowicz = "hosts"; + de.aidsballs = "hosts"; }; # splitByProvider : [alias] -> set providername [alias] -- cgit v1.3.1 From e2cf12b59d7142ce292cc086d260c7b5539adf05 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 23 Jul 2015 13:16:30 +0200 Subject: 2 lass.identity: add with cloudkrebs --- 2configs/lass/identity.nix | 48 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 2configs/lass/identity.nix diff --git a/2configs/lass/identity.nix b/2configs/lass/identity.nix new file mode 100644 index 000000000..bfaad14d2 --- /dev/null +++ b/2configs/lass/identity.nix @@ -0,0 +1,48 @@ +{ config, ... }: + +{ + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + search = "retiolum"; + hosts = { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + "aidsballs.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; + }; +} -- cgit v1.3.1 From 6476abd6ac7e000d0759569a1e2754acb2f518ca Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 24 Jul 2015 14:00:28 +0200 Subject: 2 lass.fastpoke-pages: use functions for static --- 2configs/lass/fastpoke-pages.nix | 121 ++++++++++++++++++++------------------- 1 file changed, 61 insertions(+), 60 deletions(-) diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix index 2fd9a863a..4db4847f4 100644 --- a/2configs/lass/fastpoke-pages.nix +++ b/2configs/lass/fastpoke-pages.nix @@ -1,10 +1,37 @@ { config, lib, pkgs, ... }: with lib; -{ + +let + createStaticPage = domain: + { + tv.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/${domain}; + '') + ]; + }; + #networking.extraHosts = '' + # 10.243.206.102 ${domain} + #''; + }; + +in { imports = [ ../../3modules/tv/nginx.nix ../../3modules/lass/iptables.nix + ] ++ map createStaticPage [ + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + "aidsballs.de" ]; lass.iptables = { @@ -15,72 +42,46 @@ with lib; }; }; - #createStaticPage = domain: - # { - # irc.nginx.servers."${domain}" = { - # server-names = [ - # "${domain}" - # "www.${domain}" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/${domain}; - # '') - # ]; - # }; - # networking.extraHosts = '' - # 10.243.206.102 ${domain} - # ''; - # }; - - #map createStaticPage [ - # "habsys.de" - # "pixelpocket.de" - # "karlaskop.de" - # "ubikmedia.de" - # "apanowicz.de" - # "aidsballs.de" - #]; tv.nginx = { enable = true; servers = { - "habsys.de" = { - server-names = [ - "habsys.de" - "www.habsys.de" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/habsys.de; - '') - ]; - }; + #"habsys.de" = { + # server-names = [ + # "habsys.de" + # "www.habsys.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/habsys.de; + # '') + # ]; + #}; - "karlaskop.de" = { - server-names = [ - "karlaskop.de" - "www.karlaskop.de" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/karlaskop.de; - '') - ]; - }; + #"karlaskop.de" = { + # server-names = [ + # "karlaskop.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; - "pixelpocket.de" = { - server-names = [ - "pixelpocket.de" - "www.karlaskop.de" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/karlaskop.de; - '') - ]; - }; + #"pixelpocket.de" = { + # server-names = [ + # "pixelpocket.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; }; }; -- cgit v1.3.1 From f392909ea3ce9585e5ecc533af772602559d2c3e Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:54:29 +0200 Subject: 1 lass: get identity from krebs --- 1systems/lass/cloudkrebs.nix | 12 ++---------- 1systems/lass/mors.nix | 9 +++------ 1systems/lass/uriel.nix | 9 +++------ 3 files changed, 8 insertions(+), 22 deletions(-) diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index 57b191020..ba32ae579 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -7,10 +7,6 @@ ../../2configs/lass/base.nix ../../2configs/lass/retiolum.nix ../../2configs/lass/fastpoke-pages.nix - ../../2configs/lass/identity.nix - { - tv.identity.self = config.tv.identity.hosts.cloudkrebs; - } { networking.interfaces.enp2s1.ip4 = [ { @@ -24,14 +20,10 @@ ]; } - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - }; - } ]; + krebs.enable = true; + krebs.build.host = config.krebs.hosts.cloudkrebs; networking.hostName = "cloudkrebs"; } diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 300738089..882cb9ff1 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -20,14 +20,11 @@ ../../2configs/lass/git-repos.nix ../../2configs/tv/synaptics.nix ../../2configs/lass/retiolum.nix - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - }; - } ]; + krebs.enable = true; + krebs.build.host = config.krebs.hosts.mors; + networking.hostName = "mors"; networking.wireless.enable = true; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index a6f5a82d6..d8858b4f6 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -12,12 +12,6 @@ with builtins; ../../2configs/lass/git-repos.nix ../../2configs/lass/chromium-patched.nix ../../2configs/lass/retiolum.nix - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - }; - } { users.extraUsers = { root = { @@ -29,7 +23,10 @@ with builtins; } ]; + krebs.enable = true; + krebs.build.host = config.krebs.hosts.uriel; networking.hostName = "uriel"; + networking.wireless.enable = true; nix.maxJobs = 2; -- cgit v1.3.1 From 5daf0be71967de2d2ef9d9902d9132cee6e68d83 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:55:16 +0200 Subject: 2 lass.fastpoke-pages: tv.nginx -> krebs.nginx --- 2configs/lass/fastpoke-pages.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix index 4db4847f4..3d6fcf2e1 100644 --- a/2configs/lass/fastpoke-pages.nix +++ b/2configs/lass/fastpoke-pages.nix @@ -5,7 +5,7 @@ with lib; let createStaticPage = domain: { - tv.nginx.servers."${domain}" = { + krebs.nginx.servers."${domain}" = { server-names = [ "${domain}" "www.${domain}" @@ -23,7 +23,6 @@ let in { imports = [ - ../../3modules/tv/nginx.nix ../../3modules/lass/iptables.nix ] ++ map createStaticPage [ "habsys.de" @@ -43,7 +42,7 @@ in { }; - tv.nginx = { + krebs.nginx = { enable = true; servers = { -- cgit v1.3.1 From cee80c3a67ba9d097733e9c42fa740729803f393 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:56:46 +0200 Subject: 2 lass.retiolum: tv.retiolum -> krebs.retiolum --- 2configs/lass/retiolum.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/2configs/lass/retiolum.nix b/2configs/lass/retiolum.nix index d1389ad2a..767a1ce83 100644 --- a/2configs/lass/retiolum.nix +++ b/2configs/lass/retiolum.nix @@ -3,7 +3,6 @@ { imports = [ ../../3modules/lass/iptables.nix - ../../3modules/tv/retiolum.nix ../../2configs/tv/exim-retiolum.nix ]; @@ -17,7 +16,7 @@ }; }; - tv.retiolum = { + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ -- cgit v1.3.1 From 611ae1101e303c860624c39a62c745420a37cd18 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:57:46 +0200 Subject: 1 lass: use new-repos.nix --- 1systems/lass/cloudkrebs.nix | 1 + 1systems/lass/mors.nix | 2 +- 1systems/lass/uriel.nix | 2 +- 2configs/lass/new-repos.nix | 77 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 2configs/lass/new-repos.nix diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix index ba32ae579..2c755d8cb 100644 --- a/1systems/lass/cloudkrebs.nix +++ b/1systems/lass/cloudkrebs.nix @@ -7,6 +7,7 @@ ../../2configs/lass/base.nix ../../2configs/lass/retiolum.nix ../../2configs/lass/fastpoke-pages.nix + ../../2configs/lass/new-repos.nix { networking.interfaces.enp2s1.ip4 = [ { diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index 882cb9ff1..ee2184afd 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -17,7 +17,7 @@ ../../2configs/lass/binary-caches.nix ../../2configs/lass/ircd.nix ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/git-repos.nix + ../../2configs/lass/new-repos.nix ../../2configs/tv/synaptics.nix ../../2configs/lass/retiolum.nix ]; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index d8858b4f6..4fe8cf21a 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -9,7 +9,7 @@ with builtins; ../../2configs/lass/pass.nix ../../2configs/lass/urxvt.nix ../../2configs/lass/bird.nix - ../../2configs/lass/git-repos.nix + ../../2configs/lass/new-repos.nix ../../2configs/lass/chromium-patched.nix ../../2configs/lass/retiolum.nix { diff --git a/2configs/lass/new-repos.nix b/2configs/lass/new-repos.nix new file mode 100644 index 000000000..2c73f9509 --- /dev/null +++ b/2configs/lass/new-repos.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with import ../../4lib/tv { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + inherit repos rules; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + painload = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ tv makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out -- cgit v1.3.1 From e621099022e7ae136c0342a401c75c70f32a0d69 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:59:00 +0200 Subject: 3 krebs: add lass's hosts domain --- 3modules/krebs/default.nix | 91 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 33c108811..5251f97ca 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -66,6 +66,11 @@ let retiolum = "hosts"; de.viljetic = "regfish"; de.krebsco = "ovh"; + de.habsys = "hosts"; + de.pixelpocket = "hosts"; + de.karlaskop = "hosts"; + de.ubikmedia = "hosts"; + de.apanowicz = "hosts"; }; # splitByProvider : [alias] -> listset providername alias @@ -93,6 +98,92 @@ let lass-imp = { hosts = addNames { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + uriel = { + cores = 1; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.81.176"]; + addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; + aliases = [ + "uriel.retiolum" + "cgit.uriel.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR + duJkk8Fj12ftMc+Of1gnwDkFhRcfAKOeH1RSc4CTircWVq99WyecTwEZoaR/goQb + MND022kIBoG6NQNxv1Y5I1B/h7hfloMFEPym9oFtOAXoGhBY2vVl4g64NNz+RLME + m1RipLXKANAh6LRNPGPQCUYX4TVY2ZJVxM3CM1XdomUAdOYXJmWFyUg9NcIKaacx + uRrmuy7J9yFBcihZX5Y7NV361kINrpRmZYxJRf9cr0hb5EkJJ7bMIKQMEFQ5RnYo + u7MPGKD7aNHa6hLLCeIfJ5u0igVmSLh3pwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mors = { + cores = 2; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.2"]; + addrs6 = ["42:0:0:0:0:0:0:dea7"]; + aliases = [ + "mors.retiolum" + "cgit.mors.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE + H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R + +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ + 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa + 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU + O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + }; users = addNames { lass = { -- cgit v1.3.1 From 8d2cb8cfcf6b7a087163eb879471ec74b902379c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:59:22 +0200 Subject: 1 lass.mors: open tcp 8000 --- 1systems/lass/mors.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index ee2184afd..e854dd525 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -186,4 +186,12 @@ services.mongodb = { enable = true; }; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } + ]; + }; + }; } -- cgit v1.3.1 From da925fd8223b5e7e066d78759faf89df8ddd2e9d Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 13:59:47 +0200 Subject: 2 lass.fastpoke-pages: dont write /etc/hosts --- 2configs/lass/fastpoke-pages.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix index 3d6fcf2e1..74e92ccc3 100644 --- a/2configs/lass/fastpoke-pages.nix +++ b/2configs/lass/fastpoke-pages.nix @@ -30,7 +30,6 @@ in { "karlaskop.de" "ubikmedia.de" "apanowicz.de" - "aidsballs.de" ]; lass.iptables = { @@ -85,11 +84,6 @@ in { }; }; - networking.extraHosts = '' - 10.243.206.102 habsys.de karlaskop.de pixelpocket.de ubikmedia.de apanowicz.de - 10.243.206.102 aidsballs.de - ''; - #services.postgresql = { # enable = true; #}; -- cgit v1.3.1 From f2fd8a6ec978d73df9df1bf280dc2173e7039e05 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 14:00:37 +0200 Subject: 2 lass.git-repos: delete --- 2configs/lass/git-repos.nix | 140 -------------------------------------------- 1 file changed, 140 deletions(-) delete mode 100644 2configs/lass/git-repos.nix diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix deleted file mode 100644 index b4f446aef..000000000 --- a/2configs/lass/git-repos.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (builtins) map readFile; - inherit (lib) concatMap listToAttrs; - # TODO lib should already include our stuff - inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; - - x-repos = [ - (krebs-private "brain") - - (public "painload") - (public "shitment") - (public "wai-middleware-time") - (public "web-routes-wai-custom") - - (secret "pass") - - (tv-lass "emse-drywall") - (tv-lass "emse-hsdb") - ]; - - users = addNames { - tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; - lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; - uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; - makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; - }; - - repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos); - - rules = concatMap ({ rules, ... }: rules) x-repos; - - krebs-private = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - public = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - public = true; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - secret = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - tv-lass = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - -in - -{ - imports = [ - ../../3modules/tv/git.nix - ../../3modules/lass/iptables.nix - ]; - - tv.git = { - enable = true; - inherit repos rules users; - }; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } - ]; - }; - }; - -} -- cgit v1.3.1 From 0be43cc3df3e02ad51642a97496b32e897c5dd00 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 14:01:00 +0200 Subject: 3 lass: init default.nix --- 3modules/lass/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 3modules/lass/default.nix diff --git a/3modules/lass/default.nix b/3modules/lass/default.nix new file mode 100644 index 000000000..d4e231ec7 --- /dev/null +++ b/3modules/lass/default.nix @@ -0,0 +1,8 @@ +_: + +{ + imports = [ + ./xresources.nix + ./iptables.nix + ]; +} -- cgit v1.3.1 From a141fa1e0c7ed11510d3a1006576b05ce4e280cb Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 27 Jul 2015 17:03:20 +0200 Subject: lass: move krebs config to base --- 1systems/lass/mors.nix | 1 - 2configs/lass/base.nix | 5 +++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index e854dd525..8cda1eac3 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -22,7 +22,6 @@ ../../2configs/lass/retiolum.nix ]; - krebs.enable = true; krebs.build.host = config.krebs.hosts.mors; networking.hostName = "mors"; diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix index 494cafa95..8d4a9c896 100644 --- a/2configs/lass/base.nix +++ b/2configs/lass/base.nix @@ -36,6 +36,11 @@ with lib; } ]; + krebs = { + enable = true; + search-domain = "retiolum"; + }; + nix.useChroot = true; users.mutableUsers = false; -- cgit v1.3.1 From 6167afb8b5f5e06a51745b71a47b6b0339aa0e99 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 27 Jul 2015 16:26:50 +0200 Subject: krebs.build.script: update system profile --- 3modules/krebs/default.nix | 100 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 5251f97ca..c71b70ab4 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -22,6 +22,106 @@ let build = mkOption { type = types.submodule { options = { + target = mkOption { + type = with types; nullOr str; + default = null; + }; + deps = mkOption { + type = with types; attrsOf (submodule { + options = { + url = mkOption { + type = str; + }; + rev = mkOption { + type = nullOr str; + default = null; + }; + }; + }); + default = {}; + }; + script = mkOption { + type = types.str; + default = '' + #! /bin/sh + set -efux + + target=${escapeShellArg cfg.build.target} + + push(){( + src=$1/ + dst=$target:$2 + rsync \ + --exclude .git \ + --exclude .graveyard \ + --exclude old \ + --rsync-path="mkdir -p \"$dst\" && rsync" \ + --usermap=\*:0 \ + --groupmap=\*:0 \ + --delete-excluded \ + -vrLptgoD \ + "$src" "$dst" + )} + + ${concatStrings (mapAttrsToList (name: { url, rev, ... }: + optionalString (rev == null) '' + push ${toString (map escapeShellArg [ + "${url}" + "/root/src/${name}" + ])} + '') config.deps)} + + exec ssh -S none "$target" /bin/sh <<\EOF + set -efux + fetch(){( + url=$1 + rev=$2 + dst=$3 + mkdir -p "$dst" + cd "$dst" + if ! test -e .git; then + git init + fi + if ! cur_url=$(git config remote.origin.url 2>/dev/null); then + git remote add origin "$url" + elif test "$cur_url" != "$url"; then + git remote set-url origin "$url" + fi + if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then + git fetch origin + git checkout "$rev" -- . + git checkout -q "$rev" + git submodule init + git submodule update + fi + git clean -dxf + )} + + ${concatStrings (mapAttrsToList (name: { url, rev, ... }: + optionalString (rev != null) '' + fetch ${toString (map escapeShellArg [ + url + rev + "/root/src/${name}" + ])} + '') config.deps)} + + echo build system... + profile=/nix/var/nix/profiles/system + NIX_PATH=/root/src \ + nix-env \ + -Q \ + -p "$profile" \ + -f '' \ + --set \ + -A system \ + --argstr user-name ${escapeShellArg cfg.build.user.name} \ + --argstr system-name ${escapeShellArg cfg.build.host.name} + + exec "$profile"/bin/switch-to-configuration switch + EOF + ''; + }; host = mkOption { type = types.host; }; -- cgit v1.3.1 From ac64527c5707cca5fc6e6e6ecf3957129cdb32b2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 28 Jul 2015 20:28:21 +0200 Subject: lass: port everything to stockholm --- 1systems/lass/cloudkrebs.nix | 30 ------ 1systems/lass/mors.nix | 196 ---------------------------------- 1systems/lass/uriel.nix | 166 ----------------------------- 2configs/lass/base.nix | 143 ------------------------- 2configs/lass/binary-caches.nix | 13 --- 2configs/lass/bird.nix | 13 --- 2configs/lass/bitcoin.nix | 17 --- 2configs/lass/browsers.nix | 67 ------------ 2configs/lass/chromium-patched.nix | 48 --------- 2configs/lass/desktop-base.nix | 63 ----------- 2configs/lass/elster.nix | 20 ---- 2configs/lass/fastpoke-pages.nix | 97 ----------------- 2configs/lass/games.nix | 25 ----- 2configs/lass/gitolite-base.nix | 173 ------------------------------ 2configs/lass/identity.nix | 48 --------- 2configs/lass/ircd.nix | 92 ---------------- 2configs/lass/mors/repos.nix | 87 --------------- 2configs/lass/mors/retiolum.nix | 21 ---- 2configs/lass/new-repos.nix | 77 -------------- 2configs/lass/pass.nix | 10 -- 2configs/lass/programs.nix | 24 ----- 2configs/lass/retiolum.nix | 28 ----- 2configs/lass/sshkeys.nix | 11 -- 2configs/lass/steam.nix | 30 ------ 2configs/lass/texlive.nix | 7 -- 2configs/lass/urxvt.nix | 40 ------- 2configs/lass/vim.nix | 118 --------------------- 2configs/lass/virtualbox.nix | 22 ---- 2configs/lass/wine.nix | 23 ---- 3modules/lass/default.nix | 8 -- 3modules/lass/iptables.nix | 187 -------------------------------- 3modules/lass/sshkeys.nix | 26 ----- 3modules/lass/urxvtd.nix | 55 ---------- 3modules/lass/xresources.nix | 57 ---------- lass/1systems/cloudkrebs.nix | 45 ++++++++ lass/1systems/mors.nix | 211 +++++++++++++++++++++++++++++++++++++ lass/1systems/uriel.nix | 181 +++++++++++++++++++++++++++++++ lass/2configs/base.nix | 143 +++++++++++++++++++++++++ lass/2configs/binary-caches.nix | 13 +++ lass/2configs/bird.nix | 13 +++ lass/2configs/bitcoin.nix | 17 +++ lass/2configs/browsers.nix | 67 ++++++++++++ lass/2configs/chromium-patched.nix | 48 +++++++++ lass/2configs/desktop-base.nix | 63 +++++++++++ lass/2configs/elster.nix | 20 ++++ lass/2configs/fastpoke-pages.nix | 97 +++++++++++++++++ lass/2configs/games.nix | 25 +++++ lass/2configs/gitolite-base.nix | 173 ++++++++++++++++++++++++++++++ lass/2configs/identity.nix | 48 +++++++++ lass/2configs/ircd.nix | 92 ++++++++++++++++ lass/2configs/mors/repos.nix | 87 +++++++++++++++ lass/2configs/mors/retiolum.nix | 21 ++++ lass/2configs/new-repos.nix | 77 ++++++++++++++ lass/2configs/pass.nix | 10 ++ lass/2configs/programs.nix | 24 +++++ lass/2configs/retiolum.nix | 28 +++++ lass/2configs/sshkeys.nix | 11 ++ lass/2configs/steam.nix | 30 ++++++ lass/2configs/texlive.nix | 7 ++ lass/2configs/urxvt.nix | 40 +++++++ lass/2configs/vim.nix | 118 +++++++++++++++++++++ lass/2configs/virtualbox.nix | 22 ++++ lass/2configs/wine.nix | 23 ++++ lass/3modules/default.nix | 8 ++ lass/3modules/iptables.nix | 187 ++++++++++++++++++++++++++++++++ lass/3modules/sshkeys.nix | 26 +++++ lass/3modules/urxvtd.nix | 55 ++++++++++ lass/3modules/xresources.nix | 57 ++++++++++ 68 files changed, 2087 insertions(+), 2042 deletions(-) delete mode 100644 1systems/lass/cloudkrebs.nix delete mode 100644 1systems/lass/mors.nix delete mode 100644 1systems/lass/uriel.nix delete mode 100644 2configs/lass/base.nix delete mode 100644 2configs/lass/binary-caches.nix delete mode 100644 2configs/lass/bird.nix delete mode 100644 2configs/lass/bitcoin.nix delete mode 100644 2configs/lass/browsers.nix delete mode 100644 2configs/lass/chromium-patched.nix delete mode 100644 2configs/lass/desktop-base.nix delete mode 100644 2configs/lass/elster.nix delete mode 100644 2configs/lass/fastpoke-pages.nix delete mode 100644 2configs/lass/games.nix delete mode 100644 2configs/lass/gitolite-base.nix delete mode 100644 2configs/lass/identity.nix delete mode 100644 2configs/lass/ircd.nix delete mode 100644 2configs/lass/mors/repos.nix delete mode 100644 2configs/lass/mors/retiolum.nix delete mode 100644 2configs/lass/new-repos.nix delete mode 100644 2configs/lass/pass.nix delete mode 100644 2configs/lass/programs.nix delete mode 100644 2configs/lass/retiolum.nix delete mode 100644 2configs/lass/sshkeys.nix delete mode 100644 2configs/lass/steam.nix delete mode 100644 2configs/lass/texlive.nix delete mode 100644 2configs/lass/urxvt.nix delete mode 100644 2configs/lass/vim.nix delete mode 100644 2configs/lass/virtualbox.nix delete mode 100644 2configs/lass/wine.nix delete mode 100644 3modules/lass/default.nix delete mode 100644 3modules/lass/iptables.nix delete mode 100644 3modules/lass/sshkeys.nix delete mode 100644 3modules/lass/urxvtd.nix delete mode 100644 3modules/lass/xresources.nix create mode 100644 lass/1systems/cloudkrebs.nix create mode 100644 lass/1systems/mors.nix create mode 100644 lass/1systems/uriel.nix create mode 100644 lass/2configs/base.nix create mode 100644 lass/2configs/binary-caches.nix create mode 100644 lass/2configs/bird.nix create mode 100644 lass/2configs/bitcoin.nix create mode 100644 lass/2configs/browsers.nix create mode 100644 lass/2configs/chromium-patched.nix create mode 100644 lass/2configs/desktop-base.nix create mode 100644 lass/2configs/elster.nix create mode 100644 lass/2configs/fastpoke-pages.nix create mode 100644 lass/2configs/games.nix create mode 100644 lass/2configs/gitolite-base.nix create mode 100644 lass/2configs/identity.nix create mode 100644 lass/2configs/ircd.nix create mode 100644 lass/2configs/mors/repos.nix create mode 100644 lass/2configs/mors/retiolum.nix create mode 100644 lass/2configs/new-repos.nix create mode 100644 lass/2configs/pass.nix create mode 100644 lass/2configs/programs.nix create mode 100644 lass/2configs/retiolum.nix create mode 100644 lass/2configs/sshkeys.nix create mode 100644 lass/2configs/steam.nix create mode 100644 lass/2configs/texlive.nix create mode 100644 lass/2configs/urxvt.nix create mode 100644 lass/2configs/vim.nix create mode 100644 lass/2configs/virtualbox.nix create mode 100644 lass/2configs/wine.nix create mode 100644 lass/3modules/default.nix create mode 100644 lass/3modules/iptables.nix create mode 100644 lass/3modules/sshkeys.nix create mode 100644 lass/3modules/urxvtd.nix create mode 100644 lass/3modules/xresources.nix diff --git a/1systems/lass/cloudkrebs.nix b/1systems/lass/cloudkrebs.nix deleted file mode 100644 index 2c755d8cb..000000000 --- a/1systems/lass/cloudkrebs.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../../2configs/tv/CAC-Developer-2.nix - ../../2configs/tv/CAC-CentOS-7-64bit.nix - ../../2configs/lass/base.nix - ../../2configs/lass/retiolum.nix - ../../2configs/lass/fastpoke-pages.nix - ../../2configs/lass/new-repos.nix - { - networking.interfaces.enp2s1.ip4 = [ - { - address = "104.167.113.104"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "104.167.113.1"; - networking.nameservers = [ - "8.8.8.8" - ]; - - } - ]; - - krebs.enable = true; - krebs.build.host = config.krebs.hosts.cloudkrebs; - networking.hostName = "cloudkrebs"; - -} diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix deleted file mode 100644 index 8cda1eac3..000000000 --- a/1systems/lass/mors.nix +++ /dev/null @@ -1,196 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/programs.nix - ../../2configs/lass/bitcoin.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/virtualbox.nix - ../../2configs/lass/elster.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/steam.nix - ../../2configs/lass/wine.nix - ../../2configs/lass/texlive.nix - ../../2configs/lass/binary-caches.nix - ../../2configs/lass/ircd.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/new-repos.nix - ../../2configs/tv/synaptics.nix - ../../2configs/lass/retiolum.nix - ]; - - krebs.build.host = config.krebs.hosts.mors; - - networking.hostName = "mors"; - networking.wireless.enable = true; - - networking.extraHosts = '' - ''; - - nix.maxJobs = 4; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - boot = { - loader.grub.enable = true; - loader.grub.version = 2; - loader.grub.device = "/dev/sda"; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/big/nix"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - - "/mnt/loot" = { - device = "/dev/big/loot"; - fsType = "ext4"; - }; - - "/home" = { - device = "/dev/big/home"; - fsType = "ext4"; - }; - - "/home/lass" = { - device = "/dev/big/home-lass"; - fsType = "ext4"; - }; - - "/mnt/backups" = { - device = "/dev/big/backups"; - fsType = "ext4"; - }; - - "/home/games/.local/share/Steam" = { - device = "/dev/big/steam"; - fsType = "ext4"; - }; - - "/home/virtual/virtual" = { - device = "/dev/big/virtual"; - fsType = "ext4"; - }; - - "/mnt/public" = { - device = "/dev/big/public"; - fsType = "ext4"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" - ''; - - #TODO activationScripts seem broken, fix them! - #activationScripts - #split up and move into base - system.activationScripts.powertopTunables = '' - #Enable Audio codec power management - echo '1' > '/sys/module/snd_hda_intel/parameters/power_save' - #VM writeback timeout - echo '1500' > '/proc/sys/vm/dirty_writeback_centisecs' - #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp] - echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control' - #Autosuspend for USB device Biometric Coprocessor - echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' - - #Runtime PMs - echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' - ''; - - hardware.trackpoint = { - enable = true; - sensitivity = 220; - speed = 0; - emulateWheel = true; - }; - - #system.activationScripts.trackpoint = '' - # echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' - # echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' - #''; - - services.xserver = { - videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel ]; - deviceSection = '' - Option "AccelMethod" "sna" - BusID "PCI:0:2:0" - ''; - }; - - environment.systemPackages = with pkgs; [ - ]; - - #TODO: fix this shit - ##fprint stuff - ##sudo fprintd-enroll $USER to save fingerprints - #services.fprintd.enable = true; - #security.pam.services.sudo.fprintAuth = true; - - users.extraGroups = { - loot = { - members = [ - config.users.extraUsers.mainUser.name - "firefox" - "chromium" - "google" - "virtual" - ]; - }; - }; - - networking.firewall = { - allowPing = true; - allowedTCPPorts = [ - 8000 - ]; - allowedUDPPorts = [ - 67 - ]; - }; - - services.mongodb = { - enable = true; - }; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } - ]; - }; - }; -} diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix deleted file mode 100644 index 4fe8cf21a..000000000 --- a/1systems/lass/uriel.nix +++ /dev/null @@ -1,166 +0,0 @@ -{ config, pkgs, ... }: - -with builtins; -{ - imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/bird.nix - ../../2configs/lass/new-repos.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/retiolum.nix - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/uriel.ssh.pub - ]; - }; - }; - } - ]; - - krebs.enable = true; - krebs.build.host = config.krebs.hosts.uriel; - networking.hostName = "uriel"; - - networking.wireless.enable = true; - nix.maxJobs = 2; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - boot = { - #kernelParams = [ - # "acpi.brightness_switch_enabled=0" - #]; - #loader.grub.enable = true; - #loader.grub.version = 2; - #loader.grub.device = "/dev/sda"; - - loader.gummiboot.enable = true; - loader.gummiboot.timeout = 5; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - extraModprobeConfig = '' - ''; - }; - fileSystems = { - "/" = { - device = "/dev/pool/root"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" - ''; - - #services.xserver = { - #}; - - services.xserver.synaptics = { - enable = true; - twoFingerScroll = true; - accelFactor = "0.035"; - additionalOptions = '' - Option "FingerHigh" "60" - Option "FingerLow" "60" - ''; - }; - - environment.systemPackages = with pkgs; [ - ]; - - #for google hangout - - users.extraUsers.google.extraGroups = [ "audio" "video" ]; - - - #users.extraGroups = { - # loot = { - # members = [ - # "lass" - # "firefox" - # "chromium" - # "google" - # ]; - # }; - #}; - # - # iptables - # - #networking.firewall.enable = false; - #system.activationScripts.iptables = - # let - # log = false; - # when = c: f: if c then f else ""; - # in - # '' - # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } - # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } - # ipXtables() { ip4tables "$@"; ip6tables "$@"; } - - # # - # # nat - # # - - # # reset tables - # ipXtables -t nat -F - # ipXtables -t nat -X - - # # - # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 - # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh - - # # - # # filter - # # - - # # reset tables - # ipXtables -P INPUT DROP - # ipXtables -P FORWARD DROP - # ipXtables -F - # ipXtables -X - - # # create custom chains - # ipXtables -N Retiolum - - # # INPUT - # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # ipXtables -A INPUT -j ACCEPT -i lo - # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW - # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW - # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW - # ipXtables -A INPUT -j Retiolum -i retiolum - # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} - - # # FORWARD - # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} - - # # Retiolum - # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request - # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request - - - # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} - # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable - # ip6tables -A Retiolum -j REJECT - - # ''; -} diff --git a/2configs/lass/base.nix b/2configs/lass/base.nix deleted file mode 100644 index 8d4a9c896..000000000 --- a/2configs/lass/base.nix +++ /dev/null @@ -1,143 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -{ - imports = [ - ../../3modules/lass/iptables.nix - ../../2configs/lass/vim.nix - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import /root/src/secrets/hashedPasswords.nix); - } - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/lass.ssh.pub - ]; - }; - mainUser = { - name = "lass"; - uid = 1337; - home = "/home/lass"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - "audio" - "wheel" - ]; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/lass.ssh.pub - ]; - }; - }; - } - ]; - - krebs = { - enable = true; - search-domain = "retiolum"; - }; - - nix.useChroot = true; - - users.mutableUsers = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - PAGER=most - ''; - - environment.systemPackages = with pkgs; [ - nmap - - git - most - rxvt_unicode.terminfo - - #network - iptables - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - security.setuidPrograms = [ - "sendmail" - ]; - - #services.gitolite = { - # enable = true; - # dataDir = "/home/gitolite"; - # adminPubkey = config.sshKeys.lass.pub; - #}; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - lass.iptables = { - enable = true; - tables = { - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - ]; - }; - }; - -} diff --git a/2configs/lass/binary-caches.nix b/2configs/lass/binary-caches.nix deleted file mode 100644 index c2727520d..000000000 --- a/2configs/lass/binary-caches.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - nix.sshServe.enable = true; - nix.sshServe.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" - ]; - nix.binaryCaches = [ - #"scp://nix-ssh@mors" - #"scp://nix-ssh@uriel" - ]; -} diff --git a/2configs/lass/bird.nix b/2configs/lass/bird.nix deleted file mode 100644 index 3fc265cd7..000000000 --- a/2configs/lass/bird.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - config.services.bird = { - enable = true; - config = '' - router id 192.168.122.1; - protocol device { - scan time 10; - } - ''; - }; -} diff --git a/2configs/lass/bitcoin.nix b/2configs/lass/bitcoin.nix deleted file mode 100644 index d3bccbf5c..000000000 --- a/2configs/lass/bitcoin.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - electrum - ]; - - users.extraUsers = { - bitcoin = { - name = "bitcoin"; - description = "user for bitcoin stuff"; - home = "/home/bitcoin"; - useDefaultShell = true; - createHome = true; - }; - }; -} diff --git a/2configs/lass/browsers.nix b/2configs/lass/browsers.nix deleted file mode 100644 index 8aecea925..000000000 --- a/2configs/lass/browsers.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - - nixpkgs.config.packageOverrides = pkgs : { - chromium = pkgs.chromium.override { - pulseSupport = true; - }; - }; - - environment.systemPackages = with pkgs; [ - firefox - ]; - - users.extraUsers = { - firefox = { - name = "firefox"; - description = "user for running firefox"; - home = "/home/firefox"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - chromium = { - name = "chromium"; - description = "user for running chromium"; - home = "/home/chromium"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - facebook = { - name = "facebook"; - description = "user for running facebook in chromium"; - home = "/home/facebook"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - google = { - name = "google"; - description = "user for running google+/gmail in chromium"; - home = "/home/google"; - useDefaultShell = true; - createHome = true; - }; - flash = { - name = "flash"; - description = "user for running flash stuff"; - home = "/home/flash"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - }; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(firefox) NOPASSWD: ALL - ${mainUser.name} ALL=(chromium) NOPASSWD: ALL - ${mainUser.name} ALL=(facebook) NOPASSWD: ALL - ${mainUser.name} ALL=(google) NOPASSWD: ALL - ${mainUser.name} ALL=(flash) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/chromium-patched.nix b/2configs/lass/chromium-patched.nix deleted file mode 100644 index 715181778..000000000 --- a/2configs/lass/chromium-patched.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: - -#settings to test: -# - #"ForceEphemeralProfiles": true, -let - masterPolicy = pkgs.writeText "master.json" '' - { - "PasswordManagerEnabled": false, - "DefaultGeolocationSetting": 2, - "RestoreOnStartup": 1, - "AutoFillEnabled": false, - "BackgroundModeEnabled": false, - "DefaultBrowserSettingEnabled": false, - "SafeBrowsingEnabled": false, - "ExtensionInstallForcelist": [ - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", - "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" - ] - } - ''; - - master_preferences = pkgs.writeText "master_preferences" '' - { - "browser": { - "custom_chrome_frame": true - }, - - "extensions": { - "theme": { - "id": "", - "use_system": true - } - } - } - ''; -in { - environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; - - environment.systemPackages = [ - #pkgs.chromium - (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { - buildCommand = attrs.buildCommand + '' - touch $out/TEST123 - ''; - })) - ]; -} diff --git a/2configs/lass/desktop-base.nix b/2configs/lass/desktop-base.nix deleted file mode 100644 index 9b98e4a8b..000000000 --- a/2configs/lass/desktop-base.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; -in { - imports = [ - ./base.nix - ]; - - time.timeZone = "Europe/Berlin"; - - virtualisation.libvirtd.enable = true; - - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - - programs.ssh.startAgent = false; - - security.setuidPrograms = [ "slock" ]; - - services.printing = { - enable = true; - drivers = [ pkgs.foomatic_filters ]; - }; - - environment.systemPackages = with pkgs; [ - - powertop - - #window manager stuff - haskellPackages.xmobar - haskellPackages.yeganesh - dmenu2 - xlibs.fontschumachermisc - ]; - - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc - ]; - - services.xserver = { - enable = true; - - windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ - X11-xshape - ]; - windowManager.xmonad.enable = true; - windowManager.xmonad.enableContribAndExtras = true; - windowManager.default = "xmonad"; - desktopManager.default = "none"; - desktopManager.xterm.enable = false; - displayManager.slim.enable = true; - displayManager.auto.enable = true; - displayManager.auto.user = mainUser.name; - - layout = "us"; - xkbModel = "evdev"; - xkbVariant = "altgr-intl"; - }; - -} diff --git a/2configs/lass/elster.nix b/2configs/lass/elster.nix deleted file mode 100644 index 1edd01896..000000000 --- a/2configs/lass/elster.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - users.extraUsers = { - elster = { - name = "elster"; - description = "user for running elster-online"; - home = "/home/elster"; - useDefaultShell = true; - extraGroups = []; - createHome = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(elster) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/fastpoke-pages.nix b/2configs/lass/fastpoke-pages.nix deleted file mode 100644 index 74e92ccc3..000000000 --- a/2configs/lass/fastpoke-pages.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - }; - -in { - imports = [ - ../../3modules/lass/iptables.nix - ] ++ map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} diff --git a/2configs/lass/games.nix b/2configs/lass/games.nix deleted file mode 100644 index 6043a8759..000000000 --- a/2configs/lass/games.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - environment.systemPackages = with pkgs; [ - dwarf_fortress - ]; - - users.extraUsers = { - games = { - name = "games"; - description = "user playing games"; - home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; - createHome = true; - useDefaultShell = true; - }; - }; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(games) NOPASSWD: ALL - ''; -} diff --git a/2configs/lass/gitolite-base.nix b/2configs/lass/gitolite-base.nix deleted file mode 100644 index b47629956..000000000 --- a/2configs/lass/gitolite-base.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, ... }: - -{ - services.gitolite = { - mutable = false; - keys = { - lass = config.sshKeys.lass.pub; - uriel = config.sshKeys.uriel.pub; - }; - rc = '' - %RC = ( - UMASK => 0077, - GIT_CONFIG_KEYS => "", - LOG_EXTRA => 1, - ROLES => { - READERS => 1, - WRITERS => 1, - }, - LOCAL_CODE => "$ENV{HOME}/.gitolite", - ENABLE => [ - 'help', - 'desc', - 'info', - 'perms', - 'writable', - 'ssh-authkeys', - 'git-config', - 'daemon', - 'gitweb', - 'repo-specific-hooks', - ], - ); - 1; - ''; - - repoSpecificHooks = { - irc-announce = '' - #! /bin/sh - set -euf - - config_file="$GL_ADMIN_BASE/conf/irc-announce.conf" - if test -f "$config_file"; then - . "$config_file" - fi - - # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update - # any relevant gitolite LOCAL_CODE! - # CAVEAT we hope that IRC_NICK is unique - IRC_NICK="''${IRC_NICK-gl$GL_TID}" - IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}" - IRC_SERVER="''${IRC_SERVER-ire.retiolum}" - IRC_PORT="''${IRC_PORT-6667}" - - # for privmsg_cat below - export IRC_CHANNEL - - # collect users that are mentioned in the gitolite configuration - interested_users="$(perl -e ' - do "gl-conf"; - print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} }); - ')" - - # CAVEAT beware of real TABs in grep pattern! - # CAVEAT there will never be more than 42 relevant log entries! - tab=$(printf '\x09') - log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^$tab]*$tab$GL_TID$tab" || :)" - - update_log="$(echo "$log" | grep "^[^$tab]*$tab$GL_TID''${tab}update")" - - # (debug output) - env | sed 's/^/env: /' - echo "$log" | sed 's/^/log: /' - - # see http://gitolite.com/gitolite/dev-notes.html#lff - reponame=$(echo "$update_log" | cut -f 4) - username=$(echo "$update_log" | cut -f 5) - ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||') - old_sha=$(echo "$update_log" | cut -f 8) - new_sha=$(echo "$update_log" | cut -f 9) - - # check if new branch is created - if test $old_sha = 0000000000000000000000000000000000000000; then - # TODO what should we really show? - old_sha=$new_sha^ - fi - - # - git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)" - commit_count=$(echo "$git_log" | wc -l) - - # echo2 and cat2 are used output to both, stdout and stderr - # This is used to see what we send to the irc server. (debug output) - echo2() { echo "$*"; echo "$*" >&2; } - cat2() { tee /dev/stderr; } - - # privmsg_cat transforms stdin to a privmsg - privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } - - # ircin is used to feed the output of netcat back to the "irc client" - # so we can implement expect-like behavior with sed^_^ - # XXX mkselfdestructingtmpfifo would be nice instead of this cruft - tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" - cd "$tmpdir" - mkfifo ircin - trap " - rm ircin - cd '$OLDPWD' - rmdir '$tmpdir' - trap - EXIT INT QUIT - " EXIT INT QUIT - - # - # - # - { - echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" - echo2 "NICK $IRC_NICK" - - # wait for MODE message - sed -n '/^:[^ ]* MODE /q' - - echo2 "JOIN $IRC_CHANNEL" - - echo "$interested_users" \ - | tr ' ' '\n' \ - | grep -v "^$GL_USER" \ - | sed 's/$/: poke/' \ - | privmsg_cat \ - | cat2 - - printf '[\x0313%s\x03] %s pushed %s new commit%s to \x036%s %s\x03\n' \ - "$reponame" \ - "$username" \ - "$commit_count" \ - "$(test $commit_count = 1 || echo s)" \ - "$(hostname)" \ - "$ref_name" \ - | privmsg_cat \ - | cat2 - - echo "$git_log" \ - | sed 's/^/\x0314/;s/ /\x03 /' \ - | privmsg_cat \ - | cat2 - - echo2 "PART $IRC_CHANNEL" - - # wait for PART confirmation - sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' - - echo2 'QUIT :Gone to have lunch' - } < ircin \ - | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin - ''; - }; - customFiles = [ - { - path = ".gitolite/conf/irc-announce.conf"; - file = '' - IRC_NICK="$(hostname)$GL_TID" - case "$GL_REPO" in - brain|painload|services|load-env|config) - IRC_CHANNEL='#retiolum' - ;; - *) - IRC_CHANNEL='&testing' - ;; - esac - ''; - } - ]; - }; -} diff --git a/2configs/lass/identity.nix b/2configs/lass/identity.nix deleted file mode 100644 index bfaad14d2..000000000 --- a/2configs/lass/identity.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, ... }: - -{ - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - search = "retiolum"; - hosts = { - cloudkrebs = { - cores = 1; - dc = "lass"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["104.167.113.104"]; - aliases = [ - "cloudkrebs.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.206.102"]; - addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; - aliases = [ - "cloudkrebs.retiolum" - "cgit.cloudkrebs.retiolum" - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - "aidsballs.de" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA - OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF - QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v - 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC - sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO - TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - }; - }; -} diff --git a/2configs/lass/ircd.nix b/2configs/lass/ircd.nix deleted file mode 100644 index f71b769fd..000000000 --- a/2configs/lass/ircd.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ config, pkgs, ... }: - -{ - config.services.charybdis = { - enable = true; - config = '' - serverinfo { - name = "ire.irc.retiolum"; - sid = "4z3"; - description = "miep!"; - network_name = "irc.retiolum"; - network_desc = "Retiolum IRC Network"; - hub = yes; - - vhost = "0.0.0.0"; - vhost6 = "::"; - - #ssl_private_key = "etc/ssl.key"; - #ssl_cert = "etc/ssl.cert"; - #ssl_dh_params = "etc/dh.pem"; - #ssld_count = 1; - - default_max_clients = 10000; - #nicklen = 30; - }; - - listen { - defer_accept = yes; - - /* If you want to listen on a specific IP only, specify host. - * host definitions apply only to the following port line. - */ - host = "0.0.0.0"; - port = 6667; - sslport = 6697; - - /* Listen on IPv6 (if you used host= above). */ - host = "::"; - port = 6667; - sslport = 9999; - }; - - class "users" { - ping_time = 2 minutes; - number_per_ident = 200; - number_per_ip = 200; - number_per_ip_global = 500; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 9000; - max_number = 10000; - sendq = 400 kbytes; - }; - - exempt { - ip = "127.0.0.1"; - }; - - auth { - user = "*@*"; - class = "users"; - flags = exceed_limit; - }; - - channel { - use_invex = yes; - use_except = yes; - use_forward = yes; - use_knock = yes; - knock_delay = 5 minutes; - knock_delay_channel = 1 minute; - max_chans_per_user = 15; - max_bans = 100; - max_bans_large = 500; - default_split_user_count = 0; - default_split_server_count = 0; - no_create_on_split = no; - no_join_on_split = no; - burst_topicwho = yes; - kick_on_split_riding = no; - only_ascii_channels = no; - resv_forcepart = yes; - channel_target_change = yes; - disable_local_channels = no; - }; - general { - #maybe we want ident someday? - disable_auth = yes; - }; - ''; - }; -} diff --git a/2configs/lass/mors/repos.nix b/2configs/lass/mors/repos.nix deleted file mode 100644 index 1f7f33456..000000000 --- a/2configs/lass/mors/repos.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ ... }: - -{ - imports = [ - ../lass/gitolite-base.nix - ../common/krebs-keys.nix - ../common/krebs-repos.nix - ]; - - services.gitolite = { - repos = { - - config = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - pass = { - users = { - lass = "RW+"; - uriel = "R"; - }; - }; - - load-env = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - emse-drywall = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - emse-hsdb = { - users = { - lass = "RW+"; - uriel = "R"; - tv = "R"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - brain = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - #hooks.post-receive = irc-announce; - }; - - painload = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - services = { - users = { - lass = "RW+"; - }; - extraConfig = "option hook.post-receive = irc-announce"; - }; - - xmonad-config = { - users = { - lass = "RW+"; - uriel = "R"; - }; - }; - - }; - }; -} diff --git a/2configs/lass/mors/retiolum.nix b/2configs/lass/mors/retiolum.nix deleted file mode 100644 index 1148bee9c..000000000 --- a/2configs/lass/mors/retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum - ]; - - tv.retiolum = { - enable = true; - hosts = ; - privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/2configs/lass/new-repos.nix b/2configs/lass/new-repos.nix deleted file mode 100644 index 2c73f9509..000000000 --- a/2configs/lass/new-repos.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ../../4lib/tv { inherit lib pkgs; }; -let - - out = { - krebs.git = { - enable = true; - root-title = "public repositories at ${config.krebs.build.host.name}"; - root-desc = "keep calm and engage"; - inherit repos rules; - }; - }; - - repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( - public-repos // - optionalAttrs config.krebs.build.host.secure restricted-repos - ); - - rules = concatMap make-rules (attrValues repos); - - public-repos = mapAttrs make-public-repo { - painload = {}; - stockholm = { - desc = "take all the computers hostage, they'll love you!"; - }; - wai-middleware-time = {}; - web-routes-wai-custom = {}; - }; - - restricted-repos = mapAttrs make-restricted-repo ( - { - brain = { - collaborators = with config.krebs.users; [ tv makefu ]; - }; - } // - import /root/src/secrets/repos.nix { inherit config lib pkgs; } - ); - - make-public-repo = name: { desc ? null, ... }: { - inherit name desc; - public = true; - hooks = { - post-receive = git.irc-announce { - # TODO make nick = config.krebs.build.host.name the default - nick = config.krebs.build.host.name; - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - }; - - make-restricted-repo = name: { desc ? null, ... }: { - inherit name desc; - public = false; - }; - - make-rules = - with git // config.krebs.users; - repo: - singleton { - user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } ++ - optional repo.public { - user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } ++ - optional (length (repo.collaborators or []) > 0) { - user = repo.collaborators; - repo = [ repo ]; - perm = fetch; - }; - -in out diff --git a/2configs/lass/pass.nix b/2configs/lass/pass.nix deleted file mode 100644 index 33eca0a17..000000000 --- a/2configs/lass/pass.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - pass - gnupg1 - ]; - - services.xserver.startGnuPGAgent = true; -} diff --git a/2configs/lass/programs.nix b/2configs/lass/programs.nix deleted file mode 100644 index 41d241bac..000000000 --- a/2configs/lass/programs.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, ... }: - -## TODO sort and split up -{ - environment.systemPackages = with pkgs; [ - aria2 - gnupg1compat - htop - i3lock - mc - mosh - mpv - pass - pavucontrol - pv - pwgen - python34Packages.livestreamer - remmina - silver-searcher - wget - xsel - youtube-dl - ]; -} diff --git a/2configs/lass/retiolum.nix b/2configs/lass/retiolum.nix deleted file mode 100644 index 767a1ce83..000000000 --- a/2configs/lass/retiolum.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: - -{ - imports = [ - ../../3modules/lass/iptables.nix - ../../2configs/tv/exim-retiolum.nix - ]; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } - { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } - ]; - }; - }; - - krebs.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "cloudkrebs" - "pigstarter" - ]; - }; -} diff --git a/2configs/lass/sshkeys.nix b/2configs/lass/sshkeys.nix deleted file mode 100644 index 114a2596b..000000000 --- a/2configs/lass/sshkeys.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, ... }: - -{ - imports = [ - ../../3modules/lass/sshkeys.nix - ]; - - config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; - - config.sshKeys.uriel.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel"; -} diff --git a/2configs/lass/steam.nix b/2configs/lass/steam.nix deleted file mode 100644 index 7d088fc6a..000000000 --- a/2configs/lass/steam.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, ... }: - -{ - - imports = [ - ./games.nix - ]; - # - # Steam stuff - # source: https://nixos.org/wiki/Talk:Steam - # - ##TODO: make steam module - hardware.opengl.driSupport32Bit = true; - - nixpkgs.config.steam.java = true; - environment.systemPackages = with pkgs; [ - steam - ]; - networking.firewall = { - allowedUDPPorts = [ - 27031 - 27036 - ]; - allowedTCPPorts = [ - 27036 - 27037 - ]; - }; - -} diff --git a/2configs/lass/texlive.nix b/2configs/lass/texlive.nix deleted file mode 100644 index 295df31cd..000000000 --- a/2configs/lass/texlive.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - (pkgs.texLiveAggregationFun { paths = [ pkgs.texLive pkgs.texLiveFull ]; }) - ]; -} diff --git a/2configs/lass/urxvt.nix b/2configs/lass/urxvt.nix deleted file mode 100644 index a2074ba02..000000000 --- a/2configs/lass/urxvt.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (config.users.extraUsers) mainUser; - -in - -{ - imports = [ - ../../3modules/lass/urxvtd.nix - ../../3modules/lass/xresources.nix - ]; - - services.urxvtd = { - enable = true; - users = [ mainUser.name ]; - urxvtPackage = pkgs.rxvt_unicode_with-plugins; - }; - services.xresources.enable = true; - services.xresources.resources.urxvt = '' - URxvt*scrollBar: false - URxvt*urgentOnBell: true - URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* - URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* - URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select - URxvt.url-select.launcher: browser-select - URxvt.url-select.underline: true - URxvt.keysym.M-u: perl:url-select:select_next - URxvt.keysym.M-Escape: perl:keyboard-select:activate - URxvt.keysym.M-s: perl:keyboard-select:search - - URxvt.intensityStyles: false - - URxvt*background: #000000 - URxvt*foreground: #ffffff - - !change unreadable blue - URxvt*color4: #268bd2 - ''; -} diff --git a/2configs/lass/vim.nix b/2configs/lass/vim.nix deleted file mode 100644 index 3fe45e1d1..000000000 --- a/2configs/lass/vim.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ config, pkgs, ... }: - -let - customPlugins.mustang2 = pkgs.vimUtils.buildVimPlugin { - name = "Mustang2"; - src = pkgs.fetchFromGitHub { - owner = "croaker"; - repo = "mustang-vim"; - rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; - sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; - }; - }; - -in { - - environment.systemPackages = [ - (pkgs.vim_configurable.customize { - name = "vim"; - - vimrcConfig.customRC = '' - set nocompatible - set t_Co=16 - syntax on - " TODO autoload colorscheme file - set background=dark - colorscheme mustang - filetype off - filetype plugin indent on - - imap - - set mouse=a - set ruler - set showmatch - set backspace=2 - set visualbell - set encoding=utf8 - set showcmd - set wildmenu - - set title - set titleold= - set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} - - set autoindent - - set ttyfast - - set pastetoggle= - - - " Force Saving Files that Require Root Permission - command! W silent w !sudo tee "%" >/dev/null - - nnoremap :q - vnoremap < >gv - - nmap q :buffer - - "Tabwidth - set ts=2 sts=2 sw=2 et - - " create Backup/tmp/undo dirs - function! InitBackupDir() - let l:parent = $HOME . '/.vim/' - let l:backup = l:parent . 'backups/' - let l:tmpdir = l:parent . 'tmp/' - let l:undodi = l:parent . 'undo/' - - if !isdirectory(l:parent) - call mkdir(l:parent) - endif - if !isdirectory(l:backup) - call mkdir(l:backup) - endif - if !isdirectory(l:tmpdir) - call mkdir(l:tmpdir) - endif - if !isdirectory(l:undodi) - call mkdir(l:undodi) - endif - endfunction - call InitBackupDir() - - " Backups & Files - set backup - set backupdir=~/.vim/backups - set directory=~/.vim/tmp// - set viminfo='20,<1000,s100,h,n~/.vim/tmp/info - set undodir=$HOME/.vim/undo - set undofile - - " highlight whitespaces - highlight ExtraWhitespace ctermbg=red guibg=red - match ExtraWhitespace /\s\+$/ - autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ - autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@ iptablesAttrSet` -> str - #todo: differentiate by iptables-version - buildTables = v: ts: - let - - declareChain = t: cn: - #TODO: find out what to do whit these count numbers - ":${cn} ${t."${cn}".policy} [0:0]"; - - buildChain = tn: cn: - let - sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; - - in - #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" - else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules - ) - else - "" - ; - - - buildRule = tn: cn: rule: - #target validation test: - assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); - - #predicate validation test: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. - "${rule.predicate} -j ${rule.target}"; - - buildTable = tn: - "*${tn}\n" + - concatStringsSep "\n" ([] - ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") - ) + - #this looks dirty, find a better way to do this (maybe optionalString) - concatStringsSep "" ([] - ++ map (buildChain tn) (attrNames ts."${tn}") - ) + - "\nCOMMIT"; - in - concatStringsSep "\n" ([] - ++ map buildTable (attrNames ts) - ); - -#===== - - rules4 = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - writeText "lass-iptables-rules${toString iptables-version}" '' - ${buildTables iptables-version tables} - ''; - - startScript = writeScript "lass-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} - ''; - -in -out - diff --git a/3modules/lass/sshkeys.nix b/3modules/lass/sshkeys.nix deleted file mode 100644 index 5f1c60668..000000000 --- a/3modules/lass/sshkeys.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, ... }: - -with lib; - -{ - options = { - sshKeys = mkOption { - type = types.attrsOf (types.submodule ( - { config, ... }: - { - options = { - pub = mkOption { - type = types.str; - description = "Public part of the ssh key."; - }; - - priv = mkOption { - type = types.str; - description = "Private part of the ssh key."; - }; - }; - })); - description = "collection of ssh-keys"; - }; - }; -} diff --git a/3modules/lass/urxvtd.nix b/3modules/lass/urxvtd.nix deleted file mode 100644 index 469616a9f..000000000 --- a/3modules/lass/urxvtd.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: - -let -in - -with builtins; -with lib; - -{ - options = { - services.urxvtd = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable urxvtd per user"; - }; - users = mkOption { - type = types.listOf types.string; - default = []; - description = "users to run urxvtd for"; - }; - urxvtPackage = mkOption { - type = types.package; - default = pkgs.rxvt_unicode; - description = "urxvt package to use"; - }; - }; - }; - - config = - let - cfg = config.services.urxvtd; - users = cfg.users; - urxvt = cfg.urxvtPackage; - mkService = user: { - description = "urxvt terminal daemon"; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = false; - path = [ pkgs.xlibs.xrdb ]; - environment = { - DISPLAY = ":0"; - URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; - }; - serviceConfig = { - Restart = "always"; - User = user; - ExecStart = "${urxvt}/bin/urxvtd"; - }; - }; - in - mkIf cfg.enable { - environment.systemPackages = [ urxvt ]; - systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); - }; -} diff --git a/3modules/lass/xresources.nix b/3modules/lass/xresources.nix deleted file mode 100644 index 15c5b8b74..000000000 --- a/3modules/lass/xresources.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: - -#TODO: -#prefix with Attribute Name -#ex: urxvt - -# -# -with builtins; -with lib; - - -let - - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; - inherit (pkgs) writeScript; - -in - -{ - - options = { - services.xresources.enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the automatic loading of Xresources definitions at display-manager start; - ''; - }; - - services.xresources.resources = mkOption { - default = {}; - type = types.attrsOf types.str; - example = { - urxvt = '' - URxvt*scrollBar: false - URxvt*urgentOnBell: true - ''; - }; - description = '' - Xresources definitions. - ''; - }; - }; - - config = - let - cfg = config.services.xresources; - xres = concatStringsSep "\n" (attrValues cfg.resources); - - in mkIf cfg.enable { - services.xserver.displayManager.sessionCommands = '' - echo ${shell-escape xres} | xrdb -merge - ''; - }; - -} diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix new file mode 100644 index 000000000..30a7fb51c --- /dev/null +++ b/lass/1systems/cloudkrebs.nix @@ -0,0 +1,45 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../2configs/tv/CAC-Developer-2.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/lass/base.nix + ../../2configs/lass/retiolum.nix + ../../2configs/lass/fastpoke-pages.nix + ../../2configs/lass/new-repos.nix + { + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + } + ]; + + krebs.build = { + target = "root@cloudkrebs"; + host = config.krebs.hosts.cloudkrebs; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "1879a011925c561f0a7fd4043da0768bbff41d0b"; + }; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + }; + + networking.hostName = "cloudkrebs"; + +} diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix new file mode 100644 index 000000000..3519bff66 --- /dev/null +++ b/lass/1systems/mors.nix @@ -0,0 +1,211 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../2configs/lass/desktop-base.nix + ../../2configs/lass/programs.nix + ../../2configs/lass/bitcoin.nix + ../../2configs/lass/browsers.nix + ../../2configs/lass/games.nix + ../../2configs/lass/pass.nix + ../../2configs/lass/virtualbox.nix + ../../2configs/lass/elster.nix + ../../2configs/lass/urxvt.nix + ../../2configs/lass/steam.nix + ../../2configs/lass/wine.nix + ../../2configs/lass/texlive.nix + ../../2configs/lass/binary-caches.nix + ../../2configs/lass/ircd.nix + ../../2configs/lass/chromium-patched.nix + ../../2configs/lass/new-repos.nix + #../../2configs/tv/synaptics.nix + ../../2configs/lass/retiolum.nix + ]; + + krebs.build = { + target = "root@mors"; + host = config.krebs.hosts.mors; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "1879a011925c561f0a7fd4043da0768bbff41d0b"; + }; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + }; + + networking.hostName = "mors"; + networking.wireless.enable = true; + + networking.extraHosts = '' + ''; + + nix.maxJobs = 4; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + boot = { + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + kernelModules = [ "msr" ]; + }; + fileSystems = { + "/" = { + device = "/dev/big/nix"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + + "/mnt/loot" = { + device = "/dev/big/loot"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/big/home"; + fsType = "ext4"; + }; + + "/home/lass" = { + device = "/dev/big/home-lass"; + fsType = "ext4"; + }; + + "/mnt/backups" = { + device = "/dev/big/backups"; + fsType = "ext4"; + }; + + "/home/games/.local/share/Steam" = { + device = "/dev/big/steam"; + fsType = "ext4"; + }; + + "/home/virtual/virtual" = { + device = "/dev/big/virtual"; + fsType = "ext4"; + }; + + "/mnt/public" = { + device = "/dev/big/public"; + fsType = "ext4"; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" + ''; + + #TODO activationScripts seem broken, fix them! + #activationScripts + #split up and move into base + system.activationScripts.powertopTunables = '' + #Enable Audio codec power management + echo '1' > '/sys/module/snd_hda_intel/parameters/power_save' + #VM writeback timeout + echo '1500' > '/proc/sys/vm/dirty_writeback_centisecs' + #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp] + echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control' + #Autosuspend for USB device Biometric Coprocessor + echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control' + + #Runtime PMs + echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' + ''; + + hardware.trackpoint = { + enable = true; + sensitivity = 220; + speed = 0; + emulateWheel = true; + }; + + #system.activationScripts.trackpoint = '' + # echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' + # echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' + #''; + + services.xserver = { + videoDriver = "intel"; + vaapiDrivers = [ pkgs.vaapiIntel ]; + deviceSection = '' + Option "AccelMethod" "sna" + BusID "PCI:0:2:0" + ''; + }; + + environment.systemPackages = with pkgs; [ + ]; + + #TODO: fix this shit + ##fprint stuff + ##sudo fprintd-enroll $USER to save fingerprints + #services.fprintd.enable = true; + #security.pam.services.sudo.fprintAuth = true; + + users.extraGroups = { + loot = { + members = [ + config.users.extraUsers.mainUser.name + "firefox" + "chromium" + "google" + "virtual" + ]; + }; + }; + + networking.firewall = { + allowPing = true; + allowedTCPPorts = [ + 8000 + ]; + allowedUDPPorts = [ + 67 + ]; + }; + + services.mongodb = { + enable = true; + }; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } + ]; + }; + }; +} diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix new file mode 100644 index 000000000..8984004e1 --- /dev/null +++ b/lass/1systems/uriel.nix @@ -0,0 +1,181 @@ +{ config, pkgs, ... }: + +with builtins; +{ + imports = [ + ../../2configs/lass/desktop-base.nix + ../../2configs/lass/browsers.nix + ../../2configs/lass/games.nix + ../../2configs/lass/pass.nix + ../../2configs/lass/urxvt.nix + ../../2configs/lass/bird.nix + ../../2configs/lass/new-repos.nix + ../../2configs/lass/chromium-patched.nix + ../../2configs/lass/retiolum.nix + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/uriel.ssh.pub + ]; + }; + }; + } + ]; + + krebs.build = { + target = "root@uriel"; + host = config.krebs.hosts.uriel; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "961fcbabd7643171ea74bd550fee1ce5c13c2e90"; + }; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + }; + + networking.hostName = "uriel"; + + networking.wireless.enable = true; + nix.maxJobs = 2; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + boot = { + #kernelParams = [ + # "acpi.brightness_switch_enabled=0" + #]; + #loader.grub.enable = true; + #loader.grub.version = 2; + #loader.grub.device = "/dev/sda"; + + loader.gummiboot.enable = true; + loader.gummiboot.timeout = 5; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + kernelModules = [ "msr" ]; + extraModprobeConfig = '' + ''; + }; + fileSystems = { + "/" = { + device = "/dev/pool/root"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" + ''; + + #services.xserver = { + #}; + + services.xserver.synaptics = { + enable = true; + twoFingerScroll = true; + accelFactor = "0.035"; + additionalOptions = '' + Option "FingerHigh" "60" + Option "FingerLow" "60" + ''; + }; + + environment.systemPackages = with pkgs; [ + ]; + + #for google hangout + + users.extraUsers.google.extraGroups = [ "audio" "video" ]; + + + #users.extraGroups = { + # loot = { + # members = [ + # "lass" + # "firefox" + # "chromium" + # "google" + # ]; + # }; + #}; + # + # iptables + # + #networking.firewall.enable = false; + #system.activationScripts.iptables = + # let + # log = false; + # when = c: f: if c then f else ""; + # in + # '' + # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } + # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } + # ipXtables() { ip4tables "$@"; ip6tables "$@"; } + + # # + # # nat + # # + + # # reset tables + # ipXtables -t nat -F + # ipXtables -t nat -X + + # # + # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 + # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh + + # # + # # filter + # # + + # # reset tables + # ipXtables -P INPUT DROP + # ipXtables -P FORWARD DROP + # ipXtables -F + # ipXtables -X + + # # create custom chains + # ipXtables -N Retiolum + + # # INPUT + # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # ipXtables -A INPUT -j ACCEPT -i lo + # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW + # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW + # ipXtables -A INPUT -j Retiolum -i retiolum + # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} + + # # FORWARD + # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} + + # # Retiolum + # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request + # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + + + # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} + # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable + # ip6tables -A Retiolum -j REJECT + + # ''; +} diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix new file mode 100644 index 000000000..8d4a9c896 --- /dev/null +++ b/lass/2configs/base.nix @@ -0,0 +1,143 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ + ../../3modules/lass/iptables.nix + ../../2configs/lass/vim.nix + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import /root/src/secrets/hashedPasswords.nix); + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + }; + } + ]; + + krebs = { + enable = true; + search-domain = "retiolum"; + }; + + nix.useChroot = true; + + users.mutableUsers = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + PAGER=most + ''; + + environment.systemPackages = with pkgs; [ + nmap + + git + most + rxvt_unicode.terminfo + + #network + iptables + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + security.setuidPrograms = [ + "sendmail" + ]; + + #services.gitolite = { + # enable = true; + # dataDir = "/home/gitolite"; + # adminPubkey = config.sshKeys.lass.pub; + #}; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + lass.iptables = { + enable = true; + tables = { + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + ]; + }; + }; + +} diff --git a/lass/2configs/binary-caches.nix b/lass/2configs/binary-caches.nix new file mode 100644 index 000000000..c2727520d --- /dev/null +++ b/lass/2configs/binary-caches.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + nix.sshServe.enable = true; + nix.sshServe.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" + ]; + nix.binaryCaches = [ + #"scp://nix-ssh@mors" + #"scp://nix-ssh@uriel" + ]; +} diff --git a/lass/2configs/bird.nix b/lass/2configs/bird.nix new file mode 100644 index 000000000..3fc265cd7 --- /dev/null +++ b/lass/2configs/bird.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + config.services.bird = { + enable = true; + config = '' + router id 192.168.122.1; + protocol device { + scan time 10; + } + ''; + }; +} diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix new file mode 100644 index 000000000..d3bccbf5c --- /dev/null +++ b/lass/2configs/bitcoin.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + electrum + ]; + + users.extraUsers = { + bitcoin = { + name = "bitcoin"; + description = "user for bitcoin stuff"; + home = "/home/bitcoin"; + useDefaultShell = true; + createHome = true; + }; + }; +} diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix new file mode 100644 index 000000000..8aecea925 --- /dev/null +++ b/lass/2configs/browsers.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + + nixpkgs.config.packageOverrides = pkgs : { + chromium = pkgs.chromium.override { + pulseSupport = true; + }; + }; + + environment.systemPackages = with pkgs; [ + firefox + ]; + + users.extraUsers = { + firefox = { + name = "firefox"; + description = "user for running firefox"; + home = "/home/firefox"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + chromium = { + name = "chromium"; + description = "user for running chromium"; + home = "/home/chromium"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + facebook = { + name = "facebook"; + description = "user for running facebook in chromium"; + home = "/home/facebook"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + google = { + name = "google"; + description = "user for running google+/gmail in chromium"; + home = "/home/google"; + useDefaultShell = true; + createHome = true; + }; + flash = { + name = "flash"; + description = "user for running flash stuff"; + home = "/home/flash"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + }; + + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(firefox) NOPASSWD: ALL + ${mainUser.name} ALL=(chromium) NOPASSWD: ALL + ${mainUser.name} ALL=(facebook) NOPASSWD: ALL + ${mainUser.name} ALL=(google) NOPASSWD: ALL + ${mainUser.name} ALL=(flash) NOPASSWD: ALL + ''; +} diff --git a/lass/2configs/chromium-patched.nix b/lass/2configs/chromium-patched.nix new file mode 100644 index 000000000..715181778 --- /dev/null +++ b/lass/2configs/chromium-patched.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: + +#settings to test: +# + #"ForceEphemeralProfiles": true, +let + masterPolicy = pkgs.writeText "master.json" '' + { + "PasswordManagerEnabled": false, + "DefaultGeolocationSetting": 2, + "RestoreOnStartup": 1, + "AutoFillEnabled": false, + "BackgroundModeEnabled": false, + "DefaultBrowserSettingEnabled": false, + "SafeBrowsingEnabled": false, + "ExtensionInstallForcelist": [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", + "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" + ] + } + ''; + + master_preferences = pkgs.writeText "master_preferences" '' + { + "browser": { + "custom_chrome_frame": true + }, + + "extensions": { + "theme": { + "id": "", + "use_system": true + } + } + } + ''; +in { + environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; + + environment.systemPackages = [ + #pkgs.chromium + (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { + buildCommand = attrs.buildCommand + '' + touch $out/TEST123 + ''; + })) + ]; +} diff --git a/lass/2configs/desktop-base.nix b/lass/2configs/desktop-base.nix new file mode 100644 index 000000000..9b98e4a8b --- /dev/null +++ b/lass/2configs/desktop-base.nix @@ -0,0 +1,63 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; +in { + imports = [ + ./base.nix + ]; + + time.timeZone = "Europe/Berlin"; + + virtualisation.libvirtd.enable = true; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + programs.ssh.startAgent = false; + + security.setuidPrograms = [ "slock" ]; + + services.printing = { + enable = true; + drivers = [ pkgs.foomatic_filters ]; + }; + + environment.systemPackages = with pkgs; [ + + powertop + + #window manager stuff + haskellPackages.xmobar + haskellPackages.yeganesh + dmenu2 + xlibs.fontschumachermisc + ]; + + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + services.xserver = { + enable = true; + + windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ + X11-xshape + ]; + windowManager.xmonad.enable = true; + windowManager.xmonad.enableContribAndExtras = true; + windowManager.default = "xmonad"; + desktopManager.default = "none"; + desktopManager.xterm.enable = false; + displayManager.slim.enable = true; + displayManager.auto.enable = true; + displayManager.auto.user = mainUser.name; + + layout = "us"; + xkbModel = "evdev"; + xkbVariant = "altgr-intl"; + }; + +} diff --git a/lass/2configs/elster.nix b/lass/2configs/elster.nix new file mode 100644 index 000000000..1edd01896 --- /dev/null +++ b/lass/2configs/elster.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + users.extraUsers = { + elster = { + name = "elster"; + description = "user for running elster-online"; + home = "/home/elster"; + useDefaultShell = true; + extraGroups = []; + createHome = true; + }; + }; + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(elster) NOPASSWD: ALL + ''; +} diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix new file mode 100644 index 000000000..74e92ccc3 --- /dev/null +++ b/lass/2configs/fastpoke-pages.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + createStaticPage = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/${domain}; + '') + ]; + }; + #networking.extraHosts = '' + # 10.243.206.102 ${domain} + #''; + }; + +in { + imports = [ + ../../3modules/lass/iptables.nix + ] ++ map createStaticPage [ + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + ]; + }; + }; + + + krebs.nginx = { + enable = true; + servers = { + + #"habsys.de" = { + # server-names = [ + # "habsys.de" + # "www.habsys.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/habsys.de; + # '') + # ]; + #}; + + #"karlaskop.de" = { + # server-names = [ + # "karlaskop.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; + + #"pixelpocket.de" = { + # server-names = [ + # "pixelpocket.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; + + }; + }; + + #services.postgresql = { + # enable = true; + #}; + + #config.services.vsftpd = { + # enable = true; + # userlistEnable = true; + # userlistFile = pkgs.writeFile "vsftpd-userlist" '' + # ''; + #}; +} diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix new file mode 100644 index 000000000..6043a8759 --- /dev/null +++ b/lass/2configs/games.nix @@ -0,0 +1,25 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + environment.systemPackages = with pkgs; [ + dwarf_fortress + ]; + + users.extraUsers = { + games = { + name = "games"; + description = "user playing games"; + home = "/home/games"; + extraGroups = [ "audio" "video" "input" ]; + createHome = true; + useDefaultShell = true; + }; + }; + + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(games) NOPASSWD: ALL + ''; +} diff --git a/lass/2configs/gitolite-base.nix b/lass/2configs/gitolite-base.nix new file mode 100644 index 000000000..b47629956 --- /dev/null +++ b/lass/2configs/gitolite-base.nix @@ -0,0 +1,173 @@ +{ config, ... }: + +{ + services.gitolite = { + mutable = false; + keys = { + lass = config.sshKeys.lass.pub; + uriel = config.sshKeys.uriel.pub; + }; + rc = '' + %RC = ( + UMASK => 0077, + GIT_CONFIG_KEYS => "", + LOG_EXTRA => 1, + ROLES => { + READERS => 1, + WRITERS => 1, + }, + LOCAL_CODE => "$ENV{HOME}/.gitolite", + ENABLE => [ + 'help', + 'desc', + 'info', + 'perms', + 'writable', + 'ssh-authkeys', + 'git-config', + 'daemon', + 'gitweb', + 'repo-specific-hooks', + ], + ); + 1; + ''; + + repoSpecificHooks = { + irc-announce = '' + #! /bin/sh + set -euf + + config_file="$GL_ADMIN_BASE/conf/irc-announce.conf" + if test -f "$config_file"; then + . "$config_file" + fi + + # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update + # any relevant gitolite LOCAL_CODE! + # CAVEAT we hope that IRC_NICK is unique + IRC_NICK="''${IRC_NICK-gl$GL_TID}" + IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}" + IRC_SERVER="''${IRC_SERVER-ire.retiolum}" + IRC_PORT="''${IRC_PORT-6667}" + + # for privmsg_cat below + export IRC_CHANNEL + + # collect users that are mentioned in the gitolite configuration + interested_users="$(perl -e ' + do "gl-conf"; + print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} }); + ')" + + # CAVEAT beware of real TABs in grep pattern! + # CAVEAT there will never be more than 42 relevant log entries! + tab=$(printf '\x09') + log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^$tab]*$tab$GL_TID$tab" || :)" + + update_log="$(echo "$log" | grep "^[^$tab]*$tab$GL_TID''${tab}update")" + + # (debug output) + env | sed 's/^/env: /' + echo "$log" | sed 's/^/log: /' + + # see http://gitolite.com/gitolite/dev-notes.html#lff + reponame=$(echo "$update_log" | cut -f 4) + username=$(echo "$update_log" | cut -f 5) + ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||') + old_sha=$(echo "$update_log" | cut -f 8) + new_sha=$(echo "$update_log" | cut -f 9) + + # check if new branch is created + if test $old_sha = 0000000000000000000000000000000000000000; then + # TODO what should we really show? + old_sha=$new_sha^ + fi + + # + git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)" + commit_count=$(echo "$git_log" | wc -l) + + # echo2 and cat2 are used output to both, stdout and stderr + # This is used to see what we send to the irc server. (debug output) + echo2() { echo "$*"; echo "$*" >&2; } + cat2() { tee /dev/stderr; } + + # privmsg_cat transforms stdin to a privmsg + privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + # ircin is used to feed the output of netcat back to the "irc client" + # so we can implement expect-like behavior with sed^_^ + # XXX mkselfdestructingtmpfifo would be nice instead of this cruft + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + # + # + # + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + sed -n '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + echo "$interested_users" \ + | tr ' ' '\n' \ + | grep -v "^$GL_USER" \ + | sed 's/$/: poke/' \ + | privmsg_cat \ + | cat2 + + printf '[\x0313%s\x03] %s pushed %s new commit%s to \x036%s %s\x03\n' \ + "$reponame" \ + "$username" \ + "$commit_count" \ + "$(test $commit_count = 1 || echo s)" \ + "$(hostname)" \ + "$ref_name" \ + | privmsg_cat \ + | cat2 + + echo "$git_log" \ + | sed 's/^/\x0314/;s/ /\x03 /' \ + | privmsg_cat \ + | cat2 + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin + ''; + }; + customFiles = [ + { + path = ".gitolite/conf/irc-announce.conf"; + file = '' + IRC_NICK="$(hostname)$GL_TID" + case "$GL_REPO" in + brain|painload|services|load-env|config) + IRC_CHANNEL='#retiolum' + ;; + *) + IRC_CHANNEL='&testing' + ;; + esac + ''; + } + ]; + }; +} diff --git a/lass/2configs/identity.nix b/lass/2configs/identity.nix new file mode 100644 index 000000000..bfaad14d2 --- /dev/null +++ b/lass/2configs/identity.nix @@ -0,0 +1,48 @@ +{ config, ... }: + +{ + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + search = "retiolum"; + hosts = { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + "aidsballs.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; + }; +} diff --git a/lass/2configs/ircd.nix b/lass/2configs/ircd.nix new file mode 100644 index 000000000..f71b769fd --- /dev/null +++ b/lass/2configs/ircd.nix @@ -0,0 +1,92 @@ +{ config, pkgs, ... }: + +{ + config.services.charybdis = { + enable = true; + config = '' + serverinfo { + name = "ire.irc.retiolum"; + sid = "4z3"; + description = "miep!"; + network_name = "irc.retiolum"; + network_desc = "Retiolum IRC Network"; + hub = yes; + + vhost = "0.0.0.0"; + vhost6 = "::"; + + #ssl_private_key = "etc/ssl.key"; + #ssl_cert = "etc/ssl.cert"; + #ssl_dh_params = "etc/dh.pem"; + #ssld_count = 1; + + default_max_clients = 10000; + #nicklen = 30; + }; + + listen { + defer_accept = yes; + + /* If you want to listen on a specific IP only, specify host. + * host definitions apply only to the following port line. + */ + host = "0.0.0.0"; + port = 6667; + sslport = 6697; + + /* Listen on IPv6 (if you used host= above). */ + host = "::"; + port = 6667; + sslport = 9999; + }; + + class "users" { + ping_time = 2 minutes; + number_per_ident = 200; + number_per_ip = 200; + number_per_ip_global = 500; + cidr_ipv4_bitlen = 24; + cidr_ipv6_bitlen = 64; + number_per_cidr = 9000; + max_number = 10000; + sendq = 400 kbytes; + }; + + exempt { + ip = "127.0.0.1"; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + + channel { + use_invex = yes; + use_except = yes; + use_forward = yes; + use_knock = yes; + knock_delay = 5 minutes; + knock_delay_channel = 1 minute; + max_chans_per_user = 15; + max_bans = 100; + max_bans_large = 500; + default_split_user_count = 0; + default_split_server_count = 0; + no_create_on_split = no; + no_join_on_split = no; + burst_topicwho = yes; + kick_on_split_riding = no; + only_ascii_channels = no; + resv_forcepart = yes; + channel_target_change = yes; + disable_local_channels = no; + }; + general { + #maybe we want ident someday? + disable_auth = yes; + }; + ''; + }; +} diff --git a/lass/2configs/mors/repos.nix b/lass/2configs/mors/repos.nix new file mode 100644 index 000000000..1f7f33456 --- /dev/null +++ b/lass/2configs/mors/repos.nix @@ -0,0 +1,87 @@ +{ ... }: + +{ + imports = [ + ../lass/gitolite-base.nix + ../common/krebs-keys.nix + ../common/krebs-repos.nix + ]; + + services.gitolite = { + repos = { + + config = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + pass = { + users = { + lass = "RW+"; + uriel = "R"; + }; + }; + + load-env = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + emse-drywall = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + emse-hsdb = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + brain = { + users = { + lass = "RW+"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + #hooks.post-receive = irc-announce; + }; + + painload = { + users = { + lass = "RW+"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + services = { + users = { + lass = "RW+"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + xmonad-config = { + users = { + lass = "RW+"; + uriel = "R"; + }; + }; + + }; + }; +} diff --git a/lass/2configs/mors/retiolum.nix b/lass/2configs/mors/retiolum.nix new file mode 100644 index 000000000..1148bee9c --- /dev/null +++ b/lass/2configs/mors/retiolum.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/retiolum + ]; + + tv.retiolum = { + enable = true; + hosts = ; + privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "gum" + "ire" + ]; + }; + + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; +} diff --git a/lass/2configs/new-repos.nix b/lass/2configs/new-repos.nix new file mode 100644 index 000000000..809091b32 --- /dev/null +++ b/lass/2configs/new-repos.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with import ../../tv/lib { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + inherit repos rules; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + painload = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ tv makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix new file mode 100644 index 000000000..33eca0a17 --- /dev/null +++ b/lass/2configs/pass.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + pass + gnupg1 + ]; + + services.xserver.startGnuPGAgent = true; +} diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix new file mode 100644 index 000000000..41d241bac --- /dev/null +++ b/lass/2configs/programs.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +## TODO sort and split up +{ + environment.systemPackages = with pkgs; [ + aria2 + gnupg1compat + htop + i3lock + mc + mosh + mpv + pass + pavucontrol + pv + pwgen + python34Packages.livestreamer + remmina + silver-searcher + wget + xsel + youtube-dl + ]; +} diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix new file mode 100644 index 000000000..95890f70e --- /dev/null +++ b/lass/2configs/retiolum.nix @@ -0,0 +1,28 @@ +{ ... }: + +{ + imports = [ + ../../3modules/lass/iptables.nix + ../../tv/configs/exim-retiolum.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "cloudkrebs" + "pigstarter" + ]; + }; +} diff --git a/lass/2configs/sshkeys.nix b/lass/2configs/sshkeys.nix new file mode 100644 index 000000000..114a2596b --- /dev/null +++ b/lass/2configs/sshkeys.nix @@ -0,0 +1,11 @@ +{ config, ... }: + +{ + imports = [ + ../../3modules/lass/sshkeys.nix + ]; + + config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; + + config.sshKeys.uriel.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel"; +} diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix new file mode 100644 index 000000000..7d088fc6a --- /dev/null +++ b/lass/2configs/steam.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: + +{ + + imports = [ + ./games.nix + ]; + # + # Steam stuff + # source: https://nixos.org/wiki/Talk:Steam + # + ##TODO: make steam module + hardware.opengl.driSupport32Bit = true; + + nixpkgs.config.steam.java = true; + environment.systemPackages = with pkgs; [ + steam + ]; + networking.firewall = { + allowedUDPPorts = [ + 27031 + 27036 + ]; + allowedTCPPorts = [ + 27036 + 27037 + ]; + }; + +} diff --git a/lass/2configs/texlive.nix b/lass/2configs/texlive.nix new file mode 100644 index 000000000..295df31cd --- /dev/null +++ b/lass/2configs/texlive.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + (pkgs.texLiveAggregationFun { paths = [ pkgs.texLive pkgs.texLiveFull ]; }) + ]; +} diff --git a/lass/2configs/urxvt.nix b/lass/2configs/urxvt.nix new file mode 100644 index 000000000..a2074ba02 --- /dev/null +++ b/lass/2configs/urxvt.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + +let + inherit (config.users.extraUsers) mainUser; + +in + +{ + imports = [ + ../../3modules/lass/urxvtd.nix + ../../3modules/lass/xresources.nix + ]; + + services.urxvtd = { + enable = true; + users = [ mainUser.name ]; + urxvtPackage = pkgs.rxvt_unicode_with-plugins; + }; + services.xresources.enable = true; + services.xresources.resources.urxvt = '' + URxvt*scrollBar: false + URxvt*urgentOnBell: true + URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* + URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-* + URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select + URxvt.url-select.launcher: browser-select + URxvt.url-select.underline: true + URxvt.keysym.M-u: perl:url-select:select_next + URxvt.keysym.M-Escape: perl:keyboard-select:activate + URxvt.keysym.M-s: perl:keyboard-select:search + + URxvt.intensityStyles: false + + URxvt*background: #000000 + URxvt*foreground: #ffffff + + !change unreadable blue + URxvt*color4: #268bd2 + ''; +} diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix new file mode 100644 index 000000000..3fe45e1d1 --- /dev/null +++ b/lass/2configs/vim.nix @@ -0,0 +1,118 @@ +{ config, pkgs, ... }: + +let + customPlugins.mustang2 = pkgs.vimUtils.buildVimPlugin { + name = "Mustang2"; + src = pkgs.fetchFromGitHub { + owner = "croaker"; + repo = "mustang-vim"; + rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; + sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; + }; + }; + +in { + + environment.systemPackages = [ + (pkgs.vim_configurable.customize { + name = "vim"; + + vimrcConfig.customRC = '' + set nocompatible + set t_Co=16 + syntax on + " TODO autoload colorscheme file + set background=dark + colorscheme mustang + filetype off + filetype plugin indent on + + imap + + set mouse=a + set ruler + set showmatch + set backspace=2 + set visualbell + set encoding=utf8 + set showcmd + set wildmenu + + set title + set titleold= + set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} + + set autoindent + + set ttyfast + + set pastetoggle= + + + " Force Saving Files that Require Root Permission + command! W silent w !sudo tee "%" >/dev/null + + nnoremap :q + vnoremap < >gv + + nmap q :buffer + + "Tabwidth + set ts=2 sts=2 sw=2 et + + " create Backup/tmp/undo dirs + function! InitBackupDir() + let l:parent = $HOME . '/.vim/' + let l:backup = l:parent . 'backups/' + let l:tmpdir = l:parent . 'tmp/' + let l:undodi = l:parent . 'undo/' + + if !isdirectory(l:parent) + call mkdir(l:parent) + endif + if !isdirectory(l:backup) + call mkdir(l:backup) + endif + if !isdirectory(l:tmpdir) + call mkdir(l:tmpdir) + endif + if !isdirectory(l:undodi) + call mkdir(l:undodi) + endif + endfunction + call InitBackupDir() + + " Backups & Files + set backup + set backupdir=~/.vim/backups + set directory=~/.vim/tmp// + set viminfo='20,<1000,s100,h,n~/.vim/tmp/info + set undodir=$HOME/.vim/undo + set undofile + + " highlight whitespaces + highlight ExtraWhitespace ctermbg=red guibg=red + match ExtraWhitespace /\s\+$/ + autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ + autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@ iptablesAttrSet` -> str + #todo: differentiate by iptables-version + buildTables = v: ts: + let + + declareChain = t: cn: + #TODO: find out what to do whit these count numbers + ":${cn} ${t."${cn}".policy} [0:0]"; + + buildChain = tn: cn: + let + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; + + in + #TODO: double check should be unneccessary, refactor! + if (hasAttr "rules" ts."${tn}"."${cn}") then + if (ts."${tn}"."${cn}".rules == null) then + "" + else + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map (buildRule tn cn) sortedRules + ) + else + "" + ; + + + buildRule = tn: cn: rule: + #target validation test: + assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); + + #predicate validation test: + #maybe use iptables-test + #TODO: howto exit with evaluation error by shellscript? + #apperantly not possible from nix because evalatution wouldn't be deterministic. + "${rule.predicate} -j ${rule.target}"; + + buildTable = tn: + "*${tn}\n" + + concatStringsSep "\n" ([] + ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") + ) + + #this looks dirty, find a better way to do this (maybe optionalString) + concatStringsSep "" ([] + ++ map (buildChain tn) (attrNames ts."${tn}") + ) + + "\nCOMMIT"; + in + concatStringsSep "\n" ([] + ++ map buildTable (attrNames ts) + ); + +#===== + + rules4 = iptables-version: + let + #TODO: find out good defaults. + tables-defaults = { + nat.PREROUTING.policy = "ACCEPT"; + nat.INPUT.policy = "ACCEPT"; + nat.OUTPUT.policy = "ACCEPT"; + nat.POSTROUTING.policy = "ACCEPT"; + filter.INPUT.policy = "ACCEPT"; + filter.FORWARD.policy = "ACCEPT"; + filter.OUTPUT.policy = "ACCEPT"; + + #if someone specifies any other rules on this chain, the default rules get lost. + #is this wanted beahiviour or a bug? + #TODO: implement abstraction of rules + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]; + }; + tables = tables-defaults // cfg.tables; + + in + writeText "lass-iptables-rules${toString iptables-version}" '' + ${buildTables iptables-version tables} + ''; + + startScript = writeScript "lass-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules4 4} + ip6tables-restore < ${rules4 6} + ''; + +in +out + diff --git a/lass/3modules/sshkeys.nix b/lass/3modules/sshkeys.nix new file mode 100644 index 000000000..5f1c60668 --- /dev/null +++ b/lass/3modules/sshkeys.nix @@ -0,0 +1,26 @@ +{ lib, ... }: + +with lib; + +{ + options = { + sshKeys = mkOption { + type = types.attrsOf (types.submodule ( + { config, ... }: + { + options = { + pub = mkOption { + type = types.str; + description = "Public part of the ssh key."; + }; + + priv = mkOption { + type = types.str; + description = "Private part of the ssh key."; + }; + }; + })); + description = "collection of ssh-keys"; + }; + }; +} diff --git a/lass/3modules/urxvtd.nix b/lass/3modules/urxvtd.nix new file mode 100644 index 000000000..469616a9f --- /dev/null +++ b/lass/3modules/urxvtd.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let +in + +with builtins; +with lib; + +{ + options = { + services.urxvtd = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable urxvtd per user"; + }; + users = mkOption { + type = types.listOf types.string; + default = []; + description = "users to run urxvtd for"; + }; + urxvtPackage = mkOption { + type = types.package; + default = pkgs.rxvt_unicode; + description = "urxvt package to use"; + }; + }; + }; + + config = + let + cfg = config.services.urxvtd; + users = cfg.users; + urxvt = cfg.urxvtPackage; + mkService = user: { + description = "urxvt terminal daemon"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + path = [ pkgs.xlibs.xrdb ]; + environment = { + DISPLAY = ":0"; + URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; + }; + serviceConfig = { + Restart = "always"; + User = user; + ExecStart = "${urxvt}/bin/urxvtd"; + }; + }; + in + mkIf cfg.enable { + environment.systemPackages = [ urxvt ]; + systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); + }; +} diff --git a/lass/3modules/xresources.nix b/lass/3modules/xresources.nix new file mode 100644 index 000000000..15c5b8b74 --- /dev/null +++ b/lass/3modules/xresources.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +#TODO: +#prefix with Attribute Name +#ex: urxvt + +# +# +with builtins; +with lib; + + +let + + inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; + inherit (pkgs) writeScript; + +in + +{ + + options = { + services.xresources.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the automatic loading of Xresources definitions at display-manager start; + ''; + }; + + services.xresources.resources = mkOption { + default = {}; + type = types.attrsOf types.str; + example = { + urxvt = '' + URxvt*scrollBar: false + URxvt*urgentOnBell: true + ''; + }; + description = '' + Xresources definitions. + ''; + }; + }; + + config = + let + cfg = config.services.xresources; + xres = concatStringsSep "\n" (attrValues cfg.resources); + + in mkIf cfg.enable { + services.xserver.displayManager.sessionCommands = '' + echo ${shell-escape xres} | xrdb -merge + ''; + }; + +} -- cgit v1.3.1 From 06cb4d25ef40773e2cc516e50a9aeec6cbe1d0a8 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 28 Jul 2015 21:38:22 +0200 Subject: */krebs -> krebs/* --- 3modules/krebs/default.nix | 407 ----------------------------- 3modules/krebs/git.nix | 490 ----------------------------------- 3modules/krebs/github-hosts-sync.nix | 83 ------ 3modules/krebs/nginx.nix | 72 ----- 3modules/krebs/retiolum.nix | 226 ---------------- 3modules/krebs/urlwatch.nix | 138 ---------- 4lib/krebs/default.nix | 18 -- 4lib/krebs/dns.nix | 31 --- 4lib/krebs/listset.nix | 11 - 4lib/krebs/tree.nix | 13 - 4lib/krebs/types.nix | 109 -------- Zpkgs/krebs/default.nix | 14 - Zpkgs/krebs/dic.nix | 36 --- Zpkgs/krebs/genid.nix | 22 -- Zpkgs/krebs/github-hosts-sync.nix | 40 --- Zpkgs/krebs/github-known_hosts.nix | 13 - Zpkgs/krebs/hashPassword.nix | 16 -- default.nix | 2 +- krebs/3modules/default.nix | 407 +++++++++++++++++++++++++++++ krebs/3modules/git.nix | 486 ++++++++++++++++++++++++++++++++++ krebs/3modules/github-hosts-sync.nix | 83 ++++++ krebs/3modules/nginx.nix | 72 +++++ krebs/3modules/retiolum.nix | 226 ++++++++++++++++ krebs/3modules/urlwatch.nix | 138 ++++++++++ krebs/4lib/default.nix | 18 ++ krebs/4lib/dns.nix | 31 +++ krebs/4lib/listset.nix | 11 + krebs/4lib/tree.nix | 13 + krebs/4lib/types.nix | 109 ++++++++ krebs/5pkgs/default.nix | 14 + krebs/5pkgs/dic.nix | 36 +++ krebs/5pkgs/genid.nix | 22 ++ krebs/5pkgs/github-hosts-sync.nix | 40 +++ krebs/5pkgs/github-known_hosts.nix | 13 + krebs/5pkgs/hashPassword.nix | 16 ++ tv/4lib/default.nix | 2 +- tv/5pkgs/default.nix | 4 +- 37 files changed, 1739 insertions(+), 1743 deletions(-) delete mode 100644 3modules/krebs/default.nix delete mode 100644 3modules/krebs/git.nix delete mode 100644 3modules/krebs/github-hosts-sync.nix delete mode 100644 3modules/krebs/nginx.nix delete mode 100644 3modules/krebs/retiolum.nix delete mode 100644 3modules/krebs/urlwatch.nix delete mode 100644 4lib/krebs/default.nix delete mode 100644 4lib/krebs/dns.nix delete mode 100644 4lib/krebs/listset.nix delete mode 100644 4lib/krebs/tree.nix delete mode 100644 4lib/krebs/types.nix delete mode 100644 Zpkgs/krebs/default.nix delete mode 100644 Zpkgs/krebs/dic.nix delete mode 100644 Zpkgs/krebs/genid.nix delete mode 100644 Zpkgs/krebs/github-hosts-sync.nix delete mode 100644 Zpkgs/krebs/github-known_hosts.nix delete mode 100644 Zpkgs/krebs/hashPassword.nix create mode 100644 krebs/3modules/default.nix create mode 100644 krebs/3modules/git.nix create mode 100644 krebs/3modules/github-hosts-sync.nix create mode 100644 krebs/3modules/nginx.nix create mode 100644 krebs/3modules/retiolum.nix create mode 100644 krebs/3modules/urlwatch.nix create mode 100644 krebs/4lib/default.nix create mode 100644 krebs/4lib/dns.nix create mode 100644 krebs/4lib/listset.nix create mode 100644 krebs/4lib/tree.nix create mode 100644 krebs/4lib/types.nix create mode 100644 krebs/5pkgs/default.nix create mode 100644 krebs/5pkgs/dic.nix create mode 100644 krebs/5pkgs/genid.nix create mode 100644 krebs/5pkgs/github-hosts-sync.nix create mode 100644 krebs/5pkgs/github-known_hosts.nix create mode 100644 krebs/5pkgs/hashPassword.nix diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix deleted file mode 100644 index 9e25df0bf..000000000 --- a/3modules/krebs/default.nix +++ /dev/null @@ -1,407 +0,0 @@ -{ config, lib, ... }: - -with import ../../4lib/krebs { inherit lib; }; -let - cfg = config.krebs; - - out = { - imports = [ - ./github-hosts-sync.nix - ./git.nix - ./nginx.nix - ./retiolum.nix - ./urlwatch.nix - ]; - options.krebs = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs"; - - build = mkOption { - type = types.submodule ({ config, ... }: { - options = { - target = mkOption { - type = with types; nullOr str; - default = null; - }; - deps = mkOption { - type = with types; attrsOf (submodule { - options = { - url = mkOption { - type = str; - }; - rev = mkOption { - type = nullOr str; - default = null; - }; - }; - }); - default = {}; - }; - script = mkOption { - type = types.str; - default = '' - #! /bin/sh - set -efux - - target=${escapeShellArg cfg.build.target} - - push(){( - src=$1/ - dst=$target:$2 - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --rsync-path="mkdir -p \"$dst\" && rsync" \ - --usermap=\*:0 \ - --groupmap=\*:0 \ - --delete-excluded \ - -vrLptgoD \ - "$src" "$dst" - )} - - ${concatStrings (mapAttrsToList (name: { url, rev, ... }: - optionalString (rev == null) '' - push ${toString (map escapeShellArg [ - "${url}" - "/root/src/${name}" - ])} - '') config.deps)} - - exec ssh -S none "$target" /bin/sh <<\EOF - set -efux - fetch(){( - url=$1 - rev=$2 - dst=$3 - mkdir -p "$dst" - cd "$dst" - if ! test -e .git; then - git init - fi - if ! cur_url=$(git config remote.origin.url 2>/dev/null); then - git remote add origin "$url" - elif test "$cur_url" != "$url"; then - git remote set-url origin "$url" - fi - if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then - git fetch origin - git checkout "$rev" -- . - git checkout -q "$rev" - git submodule init - git submodule update - fi - git clean -dxf - )} - - ${concatStrings (mapAttrsToList (name: { url, rev, ... }: - optionalString (rev != null) '' - fetch ${toString (map escapeShellArg [ - url - rev - "/root/src/${name}" - ])} - '') config.deps)} - - echo build system... - profile=/nix/var/nix/profiles/system - NIX_PATH=/root/src \ - nix-env \ - -Q \ - -p "$profile" \ - -f '' \ - --set \ - -A system \ - --argstr user-name ${escapeShellArg cfg.build.user.name} \ - --argstr system-name ${escapeShellArg cfg.build.host.name} - - exec "$profile"/bin/switch-to-configuration switch - EOF - ''; - }; - host = mkOption { - type = types.host; - }; - user = mkOption { - type = types.user; - }; - }; - }); - # Define defaul value, so unset values of the submodule get reported. - default = {}; - }; - - dns = { - providers = mkOption { - # TODO with types; tree dns.label dns.provider, so we can merge. - # Currently providers can only be merged if aliases occur just once. - type = with types; attrsOf unspecified; - }; - }; - - hosts = mkOption { - type = with types; attrsOf host; - }; - - users = mkOption { - type = with types; attrsOf user; - }; - - # XXX is there a better place to define search-domain? - # TODO search-domains :: listOf hostname - search-domain = mkOption { - type = types.hostname; - default = "retiolum"; - }; - }; - - imp = mkMerge [ - { krebs = lass-imp; } - { krebs = makefu-imp; } - { krebs = tv-imp; } - { - krebs.dns.providers = { - de.krebsco = "ovh"; - internet = "hosts"; - retiolum = "hosts"; - }; - - # XXX This overlaps with krebs.retiolum - networking.extraHosts = concatStringsSep "\n" (flatten ( - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = toString (unique (longs ++ shorts)); - providers = dns.split-by-provider net.aliases cfg.dns.providers; - longs = providers.hosts; - shorts = map (removeSuffix ".${cfg.search-domain}") longs; - in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets - ) cfg.hosts - )); - } - ]; - - lass-imp = { - hosts = addNames { - }; - users = addNames { - lass = { - pubkey = readFile ../../Zpubkeys/lass.ssh.pub; - }; - uriel = { - pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; - }; - }; - }; - - makefu-imp = { - hosts = addNames { - pnp = { - cores = 1; - dc = "makefu"; #vm on 'omo' - nets = { - retiolum = { - addrs4 = ["10.243.0.210"]; - addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; - aliases = [ - "pnp.retiolum" - "cgit.pnp.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g - Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V - pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR - SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T - TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr - Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - }; - users = addNames { - makefu = { - mail = "root@euer.krebsco.de"; - pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; - }; - }; - }; - - tv-imp = { - dns.providers = { - de.viljetic = "regfish"; - }; - hosts = addNames { - cd = { - cores = 2; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.219.7.216"]; - aliases = [ - "cd.internet" - "cd.viljetic.de" - "cgit.cd.viljetic.de" - "cd.krebsco.de" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.222"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; - aliases = [ - "cd.retiolum" - "cgit.cd.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - mkdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.248.167.241"]; - aliases = [ - "mkdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.223"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; - aliases = [ - "mkdir.retiolum" - "cgit.mkdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ - dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev - voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF - 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ - Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 - 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - nomic = { - cores = 2; - dc = "tv"; #dc = "gg23"; - nets = rec { - retiolum = { - addrs4 = ["10.243.0.110"]; - addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; - aliases = [ - "nomic.retiolum" - "cgit.nomic.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ - qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw - Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu - 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a - OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA - Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - rmdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["167.88.44.94"]; - aliases = [ - "rmdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.224"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; - aliases = [ - "rmdir.retiolum" - "cgit.rmdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf - i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM - Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz - hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF - 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH - SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - wu = { - cores = 4; - # TODO wu is mobile, so dc means "home data center" - dc = "tv"; #dc = "gg23"; - nets = { - retiolum = { - addrs4 = ["10.243.13.37"]; - addrs6 = ["42:0:0:0:0:0:0:1337"]; - aliases = [ - "wu.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn - M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg - GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT - KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 - 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik - AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - }; - users = addNames { - mv = { - mail = "mv@cd.retiolum"; - pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub; - }; - tv = { - mail = "tv@wu.retiolum"; - pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; - }; - }; - }; - -in -out diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix deleted file mode 100644 index 604645189..000000000 --- a/3modules/krebs/git.nix +++ /dev/null @@ -1,490 +0,0 @@ -{ config, pkgs, lib, ... }: - -# TODO unify logging of shell scripts to user and journal -# TODO move all scripts to ${etcDir}, so ControlMaster connections -# immediately pick up new authenticators -# TODO when authorized_keys changes, then restart ssh -# (or kill already connected users somehow) - -with import ../../4lib/krebs { inherit lib; }; -let - cfg = config.krebs.git; - - out = { - # TODO don't import krebs.nginx here - imports = [ - ../../3modules/krebs/nginx.nix - ]; - options.krebs.git = api; - config = mkIf cfg.enable (mkMerge [ - (mkIf cfg.cgit cgit-imp) - git-imp - ]); - }; - - api = { - enable = mkEnableOption "krebs.git"; - - cgit = mkOption { - type = types.bool; - default = true; - description = '' - Enable cgit. - Cgit is an attempt to create a fast web interface for the git version - control system, using a built in cache to decrease pressure on the - git server. - cgit in this module is being served via fastcgi nginx.This module - deploys a http://cgit. nginx configuration and enables nginx - if not yet enabled. - ''; - }; - dataDir = mkOption { - type = types.str; - default = "/var/lib/git"; - description = "Directory used to store repositories."; - }; - etcDir = mkOption { - type = types.str; - default = "/etc/git"; - }; - repos = mkOption { - type = types.attrsOf (types.submodule ({ - options = { - desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository description. - ''; - }; - section = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository section. - ''; - }; - name = mkOption { - type = types.str; - description = '' - Repository name. - ''; - }; - hooks = mkOption { - type = types.attrsOf types.str; - default = {}; - description = '' - Repository-specific hooks. - ''; - }; - public = mkOption { - type = types.bool; - default = false; - description = '' - Allow everybody to read the repository via HTTP if cgit enabled. - ''; - # TODO allow every configured user to fetch the repository via SSH. - }; - }; - })); - - default = {}; - - example = literalExample '' - { - testing = { - name = "testing"; - hooks.post-update = ''' - #! /bin/sh - set -euf - echo post-update hook: $* >&2 - '''; - }; - testing2 = { name = "testing2"; }; - } - ''; - - description = '' - Repositories. - ''; - }; - root-desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Text printed below the heading on the repository index page. - Default value: "a fast webinterface for the git dscm". - ''; - }; - root-title = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Text printed as heading on the repository index page. - Default value: "Git Repository Browser". - ''; - }; - rules = mkOption { - type = types.unspecified; - }; - }; - - git-imp = { - system.activationScripts.git-init = "${init-script}"; - - # TODO maybe put all scripts here and then use PATH? - environment.etc."${etc-base}".source = - scriptFarm "git-ssh-authorizers" { - authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (map getName perm.allow-commands) - ]) cfg.rules); - - authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (ensureList perm.allow-receive-ref) - (map getName perm.allow-receive-modes) - ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); - }; - - users.extraUsers = singleton { - description = "Git repository hosting user"; - name = "git"; - shell = "/bin/sh"; - openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) - config.krebs.users; - uid = 129318403; # genid git - }; - }; - - cgit-imp = { - users.extraUsers = lib.singleton { - inherit (fcgitwrap-user) group name uid; - home = toString (pkgs.runCommand "empty" {} "mkdir -p $out"); - }; - - users.extraGroups = lib.singleton { - inherit (fcgitwrap-group) gid name; - }; - - services.fcgiwrap = { - enable = true; - user = fcgitwrap-user.name; - group = fcgitwrap-user.group; - # socketAddress = "/run/fcgiwrap.sock" (default) - # socketType = "unix" (default) - }; - - environment.etc."cgitrc".text = '' - css=/static/cgit.css - logo=/static/cgit.png - - # if you do not want that webcrawler (like google) index your site - robots=noindex, nofollow - - virtual-root=/ - - # TODO make this nicer (and/or somewhere else) - cache-root=/tmp/cgit - - cache-size=1000 - enable-commit-graph=1 - enable-index-links=1 - enable-index-owner=0 - enable-log-filecount=1 - enable-log-linecount=1 - enable-remote-branches=1 - - ${optionalString (cfg.root-title != null) "root-title=${cfg.root-title}"} - ${optionalString (cfg.root-desc != null) "root-desc=${cfg.root-desc}"} - - snapshots=0 - max-stats=year - - ${concatMapStringsSep "\n" (repo: '' - repo.url=${repo.name} - repo.path=${cfg.dataDir}/${repo.name} - ${optionalString (repo.section != null) "repo.section=${repo.section}"} - ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"} - '') (filter isPublicRepo (attrValues cfg.repos))} - ''; - - system.activationScripts.cgit = '' - mkdir -m 0700 -p /tmp/cgit - chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit - ''; - - krebs.nginx = { - enable = true; - servers.cgit = { - server-names = [ - "cgit.${config.networking.hostName}" - "cgit.${config.networking.hostName}.retiolum" - ]; - locations = [ - (nameValuePair "/" '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - '') - (nameValuePair "/static/" '' - root ${pkgs.cgit}/cgit; - rewrite ^/static(/.*)$ $1 break; - '') - ]; - }; - }; - }; - - fcgitwrap-user = { - name = "fcgiwrap"; - uid = 2867890860; # genid fcgiwrap - group = "fcgiwrap"; - }; - - fcgitwrap-group = { - name = fcgitwrap-user.name; - gid = fcgitwrap-user.uid; - }; - - - ensureList = x: - if typeOf x == "list" then x else [x]; - - getName = x: x.name; - - isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix - - makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }: - # TODO assert name - # TODO assert pubkey - let - options = concatStringsSep "," [ - ''command="exec ${git-ssh-command} ${name}"'' - "no-agent-forwarding" - "no-port-forwarding" - "no-pty" - "no-X11-forwarding" - ]; - in - "${options} ${pubkey}"; - - # [case-pattern] -> shell-script - # Create a shell script that succeeds (exit 0) when all its arguments - # match the case patterns (in the given order). - makeAuthorizeScript = - let - # TODO escape - to-pattern = x: concatStringsSep "|" (ensureList x); - go = i: ps: - if ps == [] - then "exit 0" - else '' - case ''$${toString i} in ${to-pattern (head ps)}) - ${go (i + 1) (tail ps)} - esac''; - in - patterns: '' - #! /bin/sh - set -euf - ${concatStringsSep "\n" (map (go 1) patterns)} - exit -1 - ''; - - reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules)); - - # TODO makeGitHooks that uses runCommand instead of scriptFarm? - scriptFarm = - farm-name: scripts: - let - makeScript = script-name: script-string: { - name = script-name; - path = pkgs.writeScript "${farm-name}_${script-name}" script-string; - }; - in - pkgs.linkFarm farm-name (mapAttrsToList makeScript scripts); - - - git-ssh-command = pkgs.writeScript "git-ssh-command" '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - git - gnugrep - gnused - systemd - ])} - - abort() { - echo "error: $1" >&2 - systemd-cat -p err -t git echo "error: $1" - exit -1 - } - - GIT_SSH_USER=$1 - - systemd-cat -p info -t git echo \ - "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND" - - # References: The Base Definitions volume of - # POSIX.1‐2013, Section 3.278, Portable Filename Character Set - portable_filename_bre="^[A-Za-z0-9._-]\\+$" - - command=$(echo "$SSH_ORIGINAL_COMMAND" \ - | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \ - | grep "$portable_filename_bre" \ - || abort 'cannot read command') - - GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \ - | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \ - | grep "$portable_filename_bre" \ - || abort 'cannot read reponame') - - ${cfg.etcDir}/authorize-command \ - "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \ - || abort 'access denied' - - repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO - - systemd-cat -p info -t git \ - echo "authorized exec $command $repodir" - - export GIT_SSH_USER - export GIT_SSH_REPO - exec "$command" "$repodir" - ''; - - init-script = pkgs.writeScript "git-init" '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - gawk - git - gnugrep - gnused - ])} - - dataDir=${escapeShellArg cfg.dataDir} - mkdir -p "$dataDir" - - # Notice how the presence of hooks symlinks determine whether - # we manage a repositry or not. - - # Make sure that no existing repository has hooks. We can delete - # symlinks because we assume we created them. - find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete - bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks) - if echo "$bad_hooks" | grep -q .; then - printf 'error: unknown hooks:\n%s\n' \ - "$(echo "$bad_hooks" | sed 's/^/ /')" \ - >&2 - exit -1 - fi - - # Initialize repositories. - ${concatMapStringsSep "\n" (repo: - let - hooks = scriptFarm "git-hooks" (makeHooks repo); - in - '' - reponame=${escapeShellArg repo.name} - repodir=$dataDir/$reponame - mode=${toString (if isPublicRepo repo then 0711 else 0700)} - if ! test -d "$repodir"; then - mkdir -m "$mode" "$repodir" - git init --bare --template=/var/empty "$repodir" - chown -R git:nogroup "$repodir" - fi - ln -s ${hooks} "$repodir/hooks" - '' - ) (attrValues cfg.repos)} - - # Warn about repositories that exist but aren't mentioned in the - # current configuration (and thus didn't receive a hooks symlink). - unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \ - -type d \! -exec test -e '{}/hooks' \; -print) - if echo "$unknown_repos" | grep -q .; then - printf 'warning: stale repositories:\n%s\n' \ - "$(echo "$unknown_repos" | sed 's/^/ /')" \ - >&2 - fi - ''; - - makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // { - pre-receive = '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils # env - git - systemd - ])} - - accept() { - #systemd-cat -p info -t git echo "authorized $1" - accept_string="''${accept_string+$accept_string - }authorized $1" - } - reject() { - #systemd-cat -p err -t git echo "denied $1" - #echo 'access denied' >&2 - #exit_code=-1 - reject_string="''${reject_string+$reject_string - }access denied: $1" - } - - empty=0000000000000000000000000000000000000000 - - accept_string= - reject_string= - while read oldrev newrev ref; do - - if [ $oldrev = $empty ]; then - receive_mode=create - elif [ $newrev = $empty ]; then - receive_mode=delete - elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then - receive_mode=fast-forward - else - receive_mode=non-fast-forward - fi - - if ${cfg.etcDir}/authorize-push \ - "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then - accept "$receive_mode $ref" - else - reject "$receive_mode $ref" - fi - done - - if [ -n "$reject_string" ]; then - systemd-cat -p err -t git echo "$reject_string" - exit -1 - fi - - systemd-cat -p info -t git echo "$accept_string" - - ${optionalString (hasAttr "post-receive" repo.hooks) '' - # custom post-receive hook - ${repo.hooks.post-receive}''} - ''; - }; - - etc-base = - assert (hasPrefix "/etc/" cfg.etcDir); - removePrefix "/etc/" cfg.etcDir; - -in -out diff --git a/3modules/krebs/github-hosts-sync.nix b/3modules/krebs/github-hosts-sync.nix deleted file mode 100644 index c3b56ef94..000000000 --- a/3modules/krebs/github-hosts-sync.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.github-hosts-sync; - - out = { - options.krebs.github-hosts-sync = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.github-hosts-sync"; - port = mkOption { - type = types.int; # TODO port type - default = 1028; - }; - dataDir = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/var/lib/github-hosts-sync"; - }; - ssh-identity-file = mkOption { - type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} - default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; - }; - }; - - imp = { - systemd.services.github-hosts-sync = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - port = toString cfg.port; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "github-hosts-sync"; - User = user.name; - Restart = "always"; - ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' - #! /bin/sh - set -euf - - ssh_identity_file_target=$( - case ${cfg.ssh-identity-file} in - *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; - *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; - *) - echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 - exit 1 - esac - ) - - mkdir -p ${cfg.dataDir} - chown ${user.name}: ${cfg.dataDir} - - install \ - -o ${user.name} \ - -m 0400 \ - ${cfg.ssh-identity-file} \ - "$ssh_identity_file_target" - - ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts - ''; - ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - home = cfg.dataDir; - }; - }; - - user = { - name = "github-hosts-sync"; - uid = 3220554646; # genid github-hosts-sync - }; - - Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; -in -out diff --git a/3modules/krebs/nginx.nix b/3modules/krebs/nginx.nix deleted file mode 100644 index 702e8a7f6..000000000 --- a/3modules/krebs/nginx.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, pkgs, lib, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.nginx; - - out = { - options.krebs.nginx = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.nginx"; - - servers = mkOption { - type = with types; attrsOf optionSet; - options = singleton { - server-names = mkOption { - type = with types; listOf str; - # TODO use identity - default = [ - "${config.networking.hostName}" - "${config.networking.hostName}.retiolum" - ]; - }; - locations = mkOption { - type = with types; listOf (attrsOf str); - }; - }; - default = {}; - }; - }; - - imp = { - services.nginx = { - enable = true; - httpConfig = '' - include ${pkgs.nginx}/conf/mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - server { - listen 80 default_server; - server_name _; - return 404; - } - ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} - ''; - }; - }; - - - indent = replaceChars ["\n"] ["\n "]; - - to-location = { name, value }: '' - location ${name} { - ${indent value} - } - ''; - - to-server = { server-names, locations, ... }: '' - server { - listen 80; - server_name ${toString server-names}; - ${indent (concatStrings (map to-location locations))} - } - ''; - -in -out diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix deleted file mode 100644 index 481d6565c..000000000 --- a/3modules/krebs/retiolum.nix +++ /dev/null @@ -1,226 +0,0 @@ -{ config, pkgs, lib, ... }: - -with builtins; -with lib; -let - cfg = config.krebs.retiolum; - - out = { - options.krebs.retiolum = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.retiolum"; - - name = mkOption { - type = types.str; - default = config.networking.hostName; - # Description stolen from tinc.conf(5). - description = '' - This is the name which identifies this tinc daemon. It must - be unique for the virtual private network this daemon will - connect to. The Name may only consist of alphanumeric and - underscore characters. If Name starts with a $, then the - contents of the environment variable that follows will be - used. In that case, invalid characters will be converted to - underscores. If Name is $HOST, but no such environment - variable exist, the hostname will be read using the - gethostnname() system call This is the name which identifies - the this tinc daemon. - ''; - }; - - generateEtcHosts = mkOption { - type = types.str; - default = "both"; - description = '' - If set to short, long, or both, - then generate entries in /etc/hosts from subnets. - ''; - }; - - network = mkOption { - type = types.str; - default = "retiolum"; - description = '' - The tinc network name. - It is used to generate long host entries, - and name the TUN device. - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; - }; - - hosts = mkOption { - type = with types; either package path; - default = ../../Zhosts; - description = '' - If a path is given, then it will be used to generate an ad-hoc package. - ''; - }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; - }; - - - privateKeyFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.str; - default = "/root/src/secrets/retiolum.rsa_key.priv"; - description = '' - Generate file with tincd -K. - This file must exist on the local system. The default points to - . - ''; - }; - - connectTo = mkOption { - type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "gum" ]; - description = '' - The list of hosts in the network which the client will try to connect - to. These hosts should have an 'Address' configured which points to a - routeable IPv4 or IPv6 address. - ''; - }; - - }; - - imp = { - environment.systemPackages = [ tinc hosts iproute ]; - - networking.extraHosts = retiolumExtraHosts; - - systemd.services.retiolum = { - description = "Tinc daemon for Retiolum"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ tinc iproute ]; - serviceConfig = { - PermissionsStartOnly = "true"; - PrivateTmp = "true"; - Restart = "always"; - # TODO we cannot chroot (-R) b/c we use symlinks to hosts - # and the private key. - ExecStartPre = pkgs.writeScript "retiolum-init" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv - ''; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D"; - SyslogIdentifier = "retiolum"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = { - name = "retiolum"; - uid = 301281149; # genid retiolum - }; - - tinc = cfg.tincPackage; - - hosts = getAttr (typeOf cfg.hosts) { - package = cfg.hosts; - path = pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 \ - | xargs -0 cp --target-directory $out - ''; - }; - }; - - iproute = cfg.iproutePackage; - - retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" - { } - '' - generate() { - (cd ${hosts} - printf \'\' - for i in `ls`; do - names=$(hostnames $i) - for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do - names="$names $(hostnames $j)" - done - sed -En ' - s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p - ' $i - done | sort - printf \'\' - ) - } - - case ${cfg.generateEtcHosts} in - short) - hostnames() { echo "$1"; } - generate - ;; - long) - hostnames() { echo "$1.${cfg.network}"; } - generate - ;; - both) - hostnames() { echo "$1.${cfg.network} $1"; } - generate - ;; - *) - echo '""' - ;; - esac > $out - ''); - - - confDir = pkgs.runCommand "retiolum" { - # TODO text - executable = true; - preferLocalBuild = true; - } '' - set -euf - - mkdir -p $out - - ln -s ${hosts} $out/hosts - - cat > $out/tinc.conf < $out/tinc-up < changes 2>&1 || : - - if test -s changes; then - date=$(date -R) - subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ - | tr \\n \ ) - { - echo "Date: $date" - echo "From: $from" - echo "Subject: $subject" - echo "To: $mailto" - echo - cat changes - } | /var/setuid-wrappers/sendmail -t - fi - ''; - }; - }; - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = { - name = "urlwatch"; - uid = 3467631196; # genid urlwatch - }; -in -out diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix deleted file mode 100644 index b67585335..000000000 --- a/4lib/krebs/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -builtins // lib // rec { - - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - types = import ./types.nix { inherit lib; }; - - dns = import ./dns.nix { inherit lib; }; - listset = import ./listset.nix { inherit lib; }; - tree = import ./tree.nix { inherit lib; }; -} diff --git a/4lib/krebs/dns.nix b/4lib/krebs/dns.nix deleted file mode 100644 index b2cf3c24c..000000000 --- a/4lib/krebs/dns.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ lib, ... }: - -let - listset = import ./listset.nix { inherit lib; }; -in - -with builtins; -with lib; - -rec { - # label = string - - # TODO does it make sense to have alias = list label? - - # split-by-provider : - # [[label]] -> tree label provider -> listset provider alias - split-by-provider = as: providers: - foldl (m: a: listset.insert (provider-of a providers) a m) {} as; - - # provider-of : alias -> tree label provider -> provider - # Note that we cannot use tree.get here, because path can be longer - # than the tree depth. - provider-of = a: - let - go = path: tree: - if typeOf tree == "string" - then tree - else go (tail path) tree.${head path}; - in - go (reverseList (splitString "." a)); -} diff --git a/4lib/krebs/listset.nix b/4lib/krebs/listset.nix deleted file mode 100644 index 3aae22f20..000000000 --- a/4lib/krebs/listset.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ lib, ... }: - -with lib; - -rec { - # listset k v = set k [v] - - # insert : k -> v -> listset k v -> listset k v - insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; -} diff --git a/4lib/krebs/tree.nix b/4lib/krebs/tree.nix deleted file mode 100644 index 1cd83b3f6..000000000 --- a/4lib/krebs/tree.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -with lib; - -rec { - # tree k v = set k (either v (tree k v)) - - # get : [k] -> tree k v -> v - get = path: tree: - if length path > 0 - then get (tail path) tree.${head path} # TODO check if elem exists - else tree; -} diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix deleted file mode 100644 index 92410dd58..000000000 --- a/4lib/krebs/types.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ lib, ... }: - -with lib; -with types; - -types // rec { - - host = submodule { - options = { - name = mkOption { - type = label; - }; - dc = mkOption { - type = label; - }; - cores = mkOption { - type = positive; - }; - nets = mkOption { - type = attrsOf net; - apply = x: assert hasAttr "retiolum" x; x; - }; - secure = mkOption { - type = bool; - default = false; - description = '' - If true, then the host is capable of keeping secret information. - - TODO define minimum requirements for secure hosts - ''; - }; - }; - }; - - net = submodule ({ config, ... }: { - options = { - via = mkOption { - type = nullOr net; - default = null; - }; - addrs = mkOption { - type = listOf addr; - apply = _: config.addrs4 ++ config.addrs6; - }; - addrs4 = mkOption { - type = listOf addr4; - default = []; - }; - addrs6 = mkOption { - type = listOf addr6; - default = []; - }; - aliases = mkOption { - # TODO nonEmptyListOf hostname - type = listOf hostname; - }; - tinc = mkOption { - type = let net-config = config; in nullOr (submodule ({ config, ... }: { - options = { - config = mkOption { - type = str; - apply = _: '' - ${optionalString (net-config.via != null) - (concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)} - ${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs} - ${config.pubkey} - ''; - }; - pubkey = mkOption { - type = str; - }; - }; - })); - default = null; - }; - }; - }); - - positive = mkOptionType { - name = "positive integer"; - check = x: isInt x && x > 0; - merge = mergeOneOption; - }; - - user = submodule { - options = { - mail = mkOption { - type = str; # TODO retiolum mail address - }; - name = mkOption { - type = str; # TODO - }; - pubkey = mkOption { - type = str; - }; - pubkeys = mkOption { - type = attrsOf str; - default = {}; - }; - }; - }; - - # TODO - addr = str; - addr4 = str; - addr6 = str; - hostname = str; - label = str; -} diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix deleted file mode 100644 index 231fda797..000000000 --- a/Zpkgs/krebs/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ pkgs, ... }: - -let - inherit (pkgs) callPackage; -in - -pkgs // -{ - dic = callPackage ./dic.nix {}; - genid = callPackage ./genid.nix {}; - github-hosts-sync = callPackage ./github-hosts-sync.nix {}; - github-known_hosts = callPackage ./github-known_hosts.nix {}; - hashPassword = callPackage ./hashPassword.nix {}; -} diff --git a/Zpkgs/krebs/dic.nix b/Zpkgs/krebs/dic.nix deleted file mode 100644 index 571773d22..000000000 --- a/Zpkgs/krebs/dic.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ stdenv, fetchgit, coreutils, curl, gnused, gnugrep, ... }: - -stdenv.mkDerivation { - name = "dic"; - - src = fetchgit { - url = https://github.com/krebscode/painload; - rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - path = stdenv.lib.makeSearchPath "bin" [ - coreutils - curl - gnused - gnugrep - ]; - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n PATH=${path}; export PATH,' \ - < ./util/bin/dic \ - > $out/bin/dic - - chmod +x $out/bin/dic - ''; -} diff --git a/Zpkgs/krebs/genid.nix b/Zpkgs/krebs/genid.nix deleted file mode 100644 index c75bec317..000000000 --- a/Zpkgs/krebs/genid.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ lib, pkgs, ... }: - -pkgs.writeScriptBin "genid" '' - #! /bin/sh - # usage: genid NAME - set -euf - - export PATH=${lib.makeSearchPath "bin" (with pkgs; [ - bc - coreutils - ])} - - name=$1 - hash=$(printf %s "$name" | sha1sum | cut -d\ -f1 | tr a-f A-F) - echo " - min=2^24 # bigger than nobody and nogroup, see - # and some spare for stuff like lxd. - max=2^32 # see 2^(8*sizeof(uid_t)) - ibase=16 - ($hash + min) % max - " | bc -'' diff --git a/Zpkgs/krebs/github-hosts-sync.nix b/Zpkgs/krebs/github-hosts-sync.nix deleted file mode 100644 index d69b2b12b..000000000 --- a/Zpkgs/krebs/github-hosts-sync.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ stdenv, fetchgit, pkgs, ... }: - -stdenv.mkDerivation { - name = "github-hosts-sync"; - - src = fetchgit { - url = https://github.com/krebscode/painload; - rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; - path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - git - gnugrep - gnused - openssh - socat - ]); - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \ - < ./retiolum/scripts/github_hosts_sync/hosts-sync \ - > $out/bin/github-hosts-sync - - chmod +x $out/bin/github-hosts-sync - ''; -} diff --git a/Zpkgs/krebs/github-known_hosts.nix b/Zpkgs/krebs/github-known_hosts.nix deleted file mode 100644 index 302fdd8d5..000000000 --- a/Zpkgs/krebs/github-known_hosts.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -let - github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub); -in - -toFile "github-known_hosts" - (concatMapStrings - (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") - (range 0 255)) diff --git a/Zpkgs/krebs/hashPassword.nix b/Zpkgs/krebs/hashPassword.nix deleted file mode 100644 index a10340cc4..000000000 --- a/Zpkgs/krebs/hashPassword.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ lib, pkgs, ... }: - -pkgs.writeScriptBin "hashPassword" '' - #! /bin/sh - # usage: hashPassword - set -euf - - export PATH=${lib.makeSearchPath "bin" (with pkgs; [ - coreutils - mkpasswd - openssl - ])} - - salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16) - exec mkpasswd -m sha-512 -S "$salt" -'' diff --git a/default.nix b/default.nix index 0ee1c3d05..59a76f81b 100644 --- a/default.nix +++ b/default.nix @@ -7,7 +7,7 @@ let modules = map (p: ./. + "/${p}") [ "${user-name}/1systems/${system-name}.nix" "${user-name}/3modules" - "3modules/krebs" + "krebs/3modules" ]; }; diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix new file mode 100644 index 000000000..cd9cd732b --- /dev/null +++ b/krebs/3modules/default.nix @@ -0,0 +1,407 @@ +{ config, lib, ... }: + +with import ../4lib { inherit lib; }; +let + cfg = config.krebs; + + out = { + imports = [ + ./github-hosts-sync.nix + ./git.nix + ./nginx.nix + ./retiolum.nix + ./urlwatch.nix + ]; + options.krebs = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs"; + + build = mkOption { + type = types.submodule ({ config, ... }: { + options = { + target = mkOption { + type = with types; nullOr str; + default = null; + }; + deps = mkOption { + type = with types; attrsOf (submodule { + options = { + url = mkOption { + type = str; + }; + rev = mkOption { + type = nullOr str; + default = null; + }; + }; + }); + default = {}; + }; + script = mkOption { + type = types.str; + default = '' + #! /bin/sh + set -efux + + target=${escapeShellArg cfg.build.target} + + push(){( + src=$1/ + dst=$target:$2 + rsync \ + --exclude .git \ + --exclude .graveyard \ + --exclude old \ + --rsync-path="mkdir -p \"$dst\" && rsync" \ + --usermap=\*:0 \ + --groupmap=\*:0 \ + --delete-excluded \ + -vrLptgoD \ + "$src" "$dst" + )} + + ${concatStrings (mapAttrsToList (name: { url, rev, ... }: + optionalString (rev == null) '' + push ${toString (map escapeShellArg [ + "${url}" + "/root/src/${name}" + ])} + '') config.deps)} + + exec ssh -S none "$target" /bin/sh <<\EOF + set -efux + fetch(){( + url=$1 + rev=$2 + dst=$3 + mkdir -p "$dst" + cd "$dst" + if ! test -e .git; then + git init + fi + if ! cur_url=$(git config remote.origin.url 2>/dev/null); then + git remote add origin "$url" + elif test "$cur_url" != "$url"; then + git remote set-url origin "$url" + fi + if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then + git fetch origin + git checkout "$rev" -- . + git checkout -q "$rev" + git submodule init + git submodule update + fi + git clean -dxf + )} + + ${concatStrings (mapAttrsToList (name: { url, rev, ... }: + optionalString (rev != null) '' + fetch ${toString (map escapeShellArg [ + url + rev + "/root/src/${name}" + ])} + '') config.deps)} + + echo build system... + profile=/nix/var/nix/profiles/system + NIX_PATH=/root/src \ + nix-env \ + -Q \ + -p "$profile" \ + -f '' \ + --set \ + -A system \ + --argstr user-name ${escapeShellArg cfg.build.user.name} \ + --argstr system-name ${escapeShellArg cfg.build.host.name} + + exec "$profile"/bin/switch-to-configuration switch + EOF + ''; + }; + host = mkOption { + type = types.host; + }; + user = mkOption { + type = types.user; + }; + }; + }); + # Define defaul value, so unset values of the submodule get reported. + default = {}; + }; + + dns = { + providers = mkOption { + # TODO with types; tree dns.label dns.provider, so we can merge. + # Currently providers can only be merged if aliases occur just once. + type = with types; attrsOf unspecified; + }; + }; + + hosts = mkOption { + type = with types; attrsOf host; + }; + + users = mkOption { + type = with types; attrsOf user; + }; + + # XXX is there a better place to define search-domain? + # TODO search-domains :: listOf hostname + search-domain = mkOption { + type = types.hostname; + default = "retiolum"; + }; + }; + + imp = mkMerge [ + { krebs = lass-imp; } + { krebs = makefu-imp; } + { krebs = tv-imp; } + { + krebs.dns.providers = { + de.krebsco = "ovh"; + internet = "hosts"; + retiolum = "hosts"; + }; + + # XXX This overlaps with krebs.retiolum + networking.extraHosts = concatStringsSep "\n" (flatten ( + mapAttrsToList (hostname: host: + mapAttrsToList (netname: net: + let + aliases = toString (unique (longs ++ shorts)); + providers = dns.split-by-provider net.aliases cfg.dns.providers; + longs = providers.hosts; + shorts = map (removeSuffix ".${cfg.search-domain}") longs; + in + map (addr: "${addr} ${aliases}") net.addrs + ) host.nets + ) cfg.hosts + )); + } + ]; + + lass-imp = { + hosts = addNames { + }; + users = addNames { + lass = { + pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + }; + uriel = { + pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + }; + }; + }; + + makefu-imp = { + hosts = addNames { + pnp = { + cores = 1; + dc = "makefu"; #vm on 'omo' + nets = { + retiolum = { + addrs4 = ["10.243.0.210"]; + addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; + aliases = [ + "pnp.retiolum" + "cgit.pnp.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g + Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V + pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR + SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T + TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr + Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; + users = addNames { + makefu = { + mail = "root@euer.krebsco.de"; + pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; + }; + }; + }; + + tv-imp = { + dns.providers = { + de.viljetic = "regfish"; + }; + hosts = addNames { + cd = { + cores = 2; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.219.7.216"]; + aliases = [ + "cd.internet" + "cd.viljetic.de" + "cgit.cd.viljetic.de" + "cd.krebsco.de" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.222"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; + aliases = [ + "cd.retiolum" + "cgit.cd.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ + rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 + e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN + sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v + CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 + PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V + LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk + DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW + ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK + jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 + Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mkdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.248.167.241"]; + aliases = [ + "mkdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.223"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; + aliases = [ + "mkdir.retiolum" + "cgit.mkdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ + dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev + voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF + 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ + Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 + 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + nomic = { + cores = 2; + dc = "tv"; #dc = "gg23"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.110"]; + addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; + aliases = [ + "nomic.retiolum" + "cgit.nomic.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ + qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw + Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu + 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a + OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA + Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + rmdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["167.88.44.94"]; + aliases = [ + "rmdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.224"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; + aliases = [ + "rmdir.retiolum" + "cgit.rmdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf + i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM + Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz + hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF + 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH + SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + wu = { + cores = 4; + # TODO wu is mobile, so dc means "home data center" + dc = "tv"; #dc = "gg23"; + nets = { + retiolum = { + addrs4 = ["10.243.13.37"]; + addrs6 = ["42:0:0:0:0:0:0:1337"]; + aliases = [ + "wu.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn + M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg + GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT + KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 + 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik + AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + }; + users = addNames { + mv = { + mail = "mv@cd.retiolum"; + pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub; + }; + tv = { + mail = "tv@wu.retiolum"; + pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; + }; + }; + }; + +in +out diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix new file mode 100644 index 000000000..64b7820b2 --- /dev/null +++ b/krebs/3modules/git.nix @@ -0,0 +1,486 @@ +{ config, pkgs, lib, ... }: + +# TODO unify logging of shell scripts to user and journal +# TODO move all scripts to ${etcDir}, so ControlMaster connections +# immediately pick up new authenticators +# TODO when authorized_keys changes, then restart ssh +# (or kill already connected users somehow) + +with import ../4lib { inherit lib; }; +let + cfg = config.krebs.git; + + out = { + options.krebs.git = api; + config = mkIf cfg.enable (mkMerge [ + (mkIf cfg.cgit cgit-imp) + git-imp + ]); + }; + + api = { + enable = mkEnableOption "krebs.git"; + + cgit = mkOption { + type = types.bool; + default = true; + description = '' + Enable cgit. + Cgit is an attempt to create a fast web interface for the git version + control system, using a built in cache to decrease pressure on the + git server. + cgit in this module is being served via fastcgi nginx.This module + deploys a http://cgit. nginx configuration and enables nginx + if not yet enabled. + ''; + }; + dataDir = mkOption { + type = types.str; + default = "/var/lib/git"; + description = "Directory used to store repositories."; + }; + etcDir = mkOption { + type = types.str; + default = "/etc/git"; + }; + repos = mkOption { + type = types.attrsOf (types.submodule ({ + options = { + desc = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository description. + ''; + }; + section = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository section. + ''; + }; + name = mkOption { + type = types.str; + description = '' + Repository name. + ''; + }; + hooks = mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + Repository-specific hooks. + ''; + }; + public = mkOption { + type = types.bool; + default = false; + description = '' + Allow everybody to read the repository via HTTP if cgit enabled. + ''; + # TODO allow every configured user to fetch the repository via SSH. + }; + }; + })); + + default = {}; + + example = literalExample '' + { + testing = { + name = "testing"; + hooks.post-update = ''' + #! /bin/sh + set -euf + echo post-update hook: $* >&2 + '''; + }; + testing2 = { name = "testing2"; }; + } + ''; + + description = '' + Repositories. + ''; + }; + root-desc = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Text printed below the heading on the repository index page. + Default value: "a fast webinterface for the git dscm". + ''; + }; + root-title = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Text printed as heading on the repository index page. + Default value: "Git Repository Browser". + ''; + }; + rules = mkOption { + type = types.unspecified; + }; + }; + + git-imp = { + system.activationScripts.git-init = "${init-script}"; + + # TODO maybe put all scripts here and then use PATH? + environment.etc."${etc-base}".source = + scriptFarm "git-ssh-authorizers" { + authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ + (map getName (ensureList user)) + (map getName (ensureList repo)) + (map getName perm.allow-commands) + ]) cfg.rules); + + authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ + (map getName (ensureList user)) + (map getName (ensureList repo)) + (ensureList perm.allow-receive-ref) + (map getName perm.allow-receive-modes) + ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); + }; + + users.extraUsers = singleton { + description = "Git repository hosting user"; + name = "git"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = + mapAttrsToList (_: makeAuthorizedKey git-ssh-command) + config.krebs.users; + uid = 129318403; # genid git + }; + }; + + cgit-imp = { + users.extraUsers = lib.singleton { + inherit (fcgitwrap-user) group name uid; + home = toString (pkgs.runCommand "empty" {} "mkdir -p $out"); + }; + + users.extraGroups = lib.singleton { + inherit (fcgitwrap-group) gid name; + }; + + services.fcgiwrap = { + enable = true; + user = fcgitwrap-user.name; + group = fcgitwrap-user.group; + # socketAddress = "/run/fcgiwrap.sock" (default) + # socketType = "unix" (default) + }; + + environment.etc."cgitrc".text = '' + css=/static/cgit.css + logo=/static/cgit.png + + # if you do not want that webcrawler (like google) index your site + robots=noindex, nofollow + + virtual-root=/ + + # TODO make this nicer (and/or somewhere else) + cache-root=/tmp/cgit + + cache-size=1000 + enable-commit-graph=1 + enable-index-links=1 + enable-index-owner=0 + enable-log-filecount=1 + enable-log-linecount=1 + enable-remote-branches=1 + + ${optionalString (cfg.root-title != null) "root-title=${cfg.root-title}"} + ${optionalString (cfg.root-desc != null) "root-desc=${cfg.root-desc}"} + + snapshots=0 + max-stats=year + + ${concatMapStringsSep "\n" (repo: '' + repo.url=${repo.name} + repo.path=${cfg.dataDir}/${repo.name} + ${optionalString (repo.section != null) "repo.section=${repo.section}"} + ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"} + '') (filter isPublicRepo (attrValues cfg.repos))} + ''; + + system.activationScripts.cgit = '' + mkdir -m 0700 -p /tmp/cgit + chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit + ''; + + krebs.nginx = { + enable = true; + servers.cgit = { + server-names = [ + "cgit.${config.networking.hostName}" + "cgit.${config.networking.hostName}.retiolum" + ]; + locations = [ + (nameValuePair "/" '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + '') + (nameValuePair "/static/" '' + root ${pkgs.cgit}/cgit; + rewrite ^/static(/.*)$ $1 break; + '') + ]; + }; + }; + }; + + fcgitwrap-user = { + name = "fcgiwrap"; + uid = 2867890860; # genid fcgiwrap + group = "fcgiwrap"; + }; + + fcgitwrap-group = { + name = fcgitwrap-user.name; + gid = fcgitwrap-user.uid; + }; + + + ensureList = x: + if typeOf x == "list" then x else [x]; + + getName = x: x.name; + + isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix + + makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }: + # TODO assert name + # TODO assert pubkey + let + options = concatStringsSep "," [ + ''command="exec ${git-ssh-command} ${name}"'' + "no-agent-forwarding" + "no-port-forwarding" + "no-pty" + "no-X11-forwarding" + ]; + in + "${options} ${pubkey}"; + + # [case-pattern] -> shell-script + # Create a shell script that succeeds (exit 0) when all its arguments + # match the case patterns (in the given order). + makeAuthorizeScript = + let + # TODO escape + to-pattern = x: concatStringsSep "|" (ensureList x); + go = i: ps: + if ps == [] + then "exit 0" + else '' + case ''$${toString i} in ${to-pattern (head ps)}) + ${go (i + 1) (tail ps)} + esac''; + in + patterns: '' + #! /bin/sh + set -euf + ${concatStringsSep "\n" (map (go 1) patterns)} + exit -1 + ''; + + reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules)); + + # TODO makeGitHooks that uses runCommand instead of scriptFarm? + scriptFarm = + farm-name: scripts: + let + makeScript = script-name: script-string: { + name = script-name; + path = pkgs.writeScript "${farm-name}_${script-name}" script-string; + }; + in + pkgs.linkFarm farm-name (mapAttrsToList makeScript scripts); + + + git-ssh-command = pkgs.writeScript "git-ssh-command" '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + git + gnugrep + gnused + systemd + ])} + + abort() { + echo "error: $1" >&2 + systemd-cat -p err -t git echo "error: $1" + exit -1 + } + + GIT_SSH_USER=$1 + + systemd-cat -p info -t git echo \ + "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND" + + # References: The Base Definitions volume of + # POSIX.1‐2013, Section 3.278, Portable Filename Character Set + portable_filename_bre="^[A-Za-z0-9._-]\\+$" + + command=$(echo "$SSH_ORIGINAL_COMMAND" \ + | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \ + | grep "$portable_filename_bre" \ + || abort 'cannot read command') + + GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \ + | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \ + | grep "$portable_filename_bre" \ + || abort 'cannot read reponame') + + ${cfg.etcDir}/authorize-command \ + "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \ + || abort 'access denied' + + repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO + + systemd-cat -p info -t git \ + echo "authorized exec $command $repodir" + + export GIT_SSH_USER + export GIT_SSH_REPO + exec "$command" "$repodir" + ''; + + init-script = pkgs.writeScript "git-init" '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + findutils + gawk + git + gnugrep + gnused + ])} + + dataDir=${escapeShellArg cfg.dataDir} + mkdir -p "$dataDir" + + # Notice how the presence of hooks symlinks determine whether + # we manage a repositry or not. + + # Make sure that no existing repository has hooks. We can delete + # symlinks because we assume we created them. + find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete + bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks) + if echo "$bad_hooks" | grep -q .; then + printf 'error: unknown hooks:\n%s\n' \ + "$(echo "$bad_hooks" | sed 's/^/ /')" \ + >&2 + exit -1 + fi + + # Initialize repositories. + ${concatMapStringsSep "\n" (repo: + let + hooks = scriptFarm "git-hooks" (makeHooks repo); + in + '' + reponame=${escapeShellArg repo.name} + repodir=$dataDir/$reponame + mode=${toString (if isPublicRepo repo then 0711 else 0700)} + if ! test -d "$repodir"; then + mkdir -m "$mode" "$repodir" + git init --bare --template=/var/empty "$repodir" + chown -R git:nogroup "$repodir" + fi + ln -s ${hooks} "$repodir/hooks" + '' + ) (attrValues cfg.repos)} + + # Warn about repositories that exist but aren't mentioned in the + # current configuration (and thus didn't receive a hooks symlink). + unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \ + -type d \! -exec test -e '{}/hooks' \; -print) + if echo "$unknown_repos" | grep -q .; then + printf 'warning: stale repositories:\n%s\n' \ + "$(echo "$unknown_repos" | sed 's/^/ /')" \ + >&2 + fi + ''; + + makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // { + pre-receive = '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils # env + git + systemd + ])} + + accept() { + #systemd-cat -p info -t git echo "authorized $1" + accept_string="''${accept_string+$accept_string + }authorized $1" + } + reject() { + #systemd-cat -p err -t git echo "denied $1" + #echo 'access denied' >&2 + #exit_code=-1 + reject_string="''${reject_string+$reject_string + }access denied: $1" + } + + empty=0000000000000000000000000000000000000000 + + accept_string= + reject_string= + while read oldrev newrev ref; do + + if [ $oldrev = $empty ]; then + receive_mode=create + elif [ $newrev = $empty ]; then + receive_mode=delete + elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then + receive_mode=fast-forward + else + receive_mode=non-fast-forward + fi + + if ${cfg.etcDir}/authorize-push \ + "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then + accept "$receive_mode $ref" + else + reject "$receive_mode $ref" + fi + done + + if [ -n "$reject_string" ]; then + systemd-cat -p err -t git echo "$reject_string" + exit -1 + fi + + systemd-cat -p info -t git echo "$accept_string" + + ${optionalString (hasAttr "post-receive" repo.hooks) '' + # custom post-receive hook + ${repo.hooks.post-receive}''} + ''; + }; + + etc-base = + assert (hasPrefix "/etc/" cfg.etcDir); + removePrefix "/etc/" cfg.etcDir; + +in +out diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix new file mode 100644 index 000000000..0274b9d15 --- /dev/null +++ b/krebs/3modules/github-hosts-sync.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.github-hosts-sync; + + out = { + options.krebs.github-hosts-sync = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.github-hosts-sync"; + port = mkOption { + type = types.int; # TODO port type + default = 1028; + }; + dataDir = mkOption { + type = types.str; # TODO path (but not just into store) + default = "/var/lib/github-hosts-sync"; + }; + ssh-identity-file = mkOption { + type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} + default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; + }; + }; + + imp = { + systemd.services.github-hosts-sync = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + port = toString cfg.port; + }; + serviceConfig = { + PermissionsStartOnly = "true"; + SyslogIdentifier = "github-hosts-sync"; + User = user.name; + Restart = "always"; + ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' + #! /bin/sh + set -euf + + ssh_identity_file_target=$( + case ${cfg.ssh-identity-file} in + *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; + *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; + *) + echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 + exit 1 + esac + ) + + mkdir -p ${cfg.dataDir} + chown ${user.name}: ${cfg.dataDir} + + install \ + -o ${user.name} \ + -m 0400 \ + ${cfg.ssh-identity-file} \ + "$ssh_identity_file_target" + + ln -snf ${kpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts + ''; + ExecStart = "${kpkgs.github-hosts-sync}/bin/github-hosts-sync"; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + home = cfg.dataDir; + }; + }; + + user = { + name = "github-hosts-sync"; + uid = 3220554646; # genid github-hosts-sync + }; + + kpkgs = import ../../krebs/5pkgs { inherit pkgs; }; +in +out diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix new file mode 100644 index 000000000..702e8a7f6 --- /dev/null +++ b/krebs/3modules/nginx.nix @@ -0,0 +1,72 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.nginx; + + out = { + options.krebs.nginx = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.nginx"; + + servers = mkOption { + type = with types; attrsOf optionSet; + options = singleton { + server-names = mkOption { + type = with types; listOf str; + # TODO use identity + default = [ + "${config.networking.hostName}" + "${config.networking.hostName}.retiolum" + ]; + }; + locations = mkOption { + type = with types; listOf (attrsOf str); + }; + }; + default = {}; + }; + }; + + imp = { + services.nginx = { + enable = true; + httpConfig = '' + include ${pkgs.nginx}/conf/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + server { + listen 80 default_server; + server_name _; + return 404; + } + ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} + ''; + }; + }; + + + indent = replaceChars ["\n"] ["\n "]; + + to-location = { name, value }: '' + location ${name} { + ${indent value} + } + ''; + + to-server = { server-names, locations, ... }: '' + server { + listen 80; + server_name ${toString server-names}; + ${indent (concatStrings (map to-location locations))} + } + ''; + +in +out diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix new file mode 100644 index 000000000..481d6565c --- /dev/null +++ b/krebs/3modules/retiolum.nix @@ -0,0 +1,226 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.retiolum; + + out = { + options.krebs.retiolum = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.retiolum"; + + name = mkOption { + type = types.str; + default = config.networking.hostName; + # Description stolen from tinc.conf(5). + description = '' + This is the name which identifies this tinc daemon. It must + be unique for the virtual private network this daemon will + connect to. The Name may only consist of alphanumeric and + underscore characters. If Name starts with a $, then the + contents of the environment variable that follows will be + used. In that case, invalid characters will be converted to + underscores. If Name is $HOST, but no such environment + variable exist, the hostname will be read using the + gethostnname() system call This is the name which identifies + the this tinc daemon. + ''; + }; + + generateEtcHosts = mkOption { + type = types.str; + default = "both"; + description = '' + If set to short, long, or both, + then generate entries in /etc/hosts from subnets. + ''; + }; + + network = mkOption { + type = types.str; + default = "retiolum"; + description = '' + The tinc network name. + It is used to generate long host entries, + and name the TUN device. + ''; + }; + + tincPackage = mkOption { + type = types.package; + default = pkgs.tinc; + description = "Tincd package to use."; + }; + + hosts = mkOption { + type = with types; either package path; + default = ../../Zhosts; + description = '' + If a path is given, then it will be used to generate an ad-hoc package. + ''; + }; + + iproutePackage = mkOption { + type = types.package; + default = pkgs.iproute; + description = "Iproute2 package to use."; + }; + + + privateKeyFile = mkOption { + # TODO if it's types.path then it gets copied to /nix/store with + # bad unsafe permissions... + type = types.str; + default = "/root/src/secrets/retiolum.rsa_key.priv"; + description = '' + Generate file with tincd -K. + This file must exist on the local system. The default points to + . + ''; + }; + + connectTo = mkOption { + type = types.listOf types.str; + default = [ "fastpoke" "pigstarter" "gum" ]; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + ''; + }; + + }; + + imp = { + environment.systemPackages = [ tinc hosts iproute ]; + + networking.extraHosts = retiolumExtraHosts; + + systemd.services.retiolum = { + description = "Tinc daemon for Retiolum"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ tinc iproute ]; + serviceConfig = { + PermissionsStartOnly = "true"; + PrivateTmp = "true"; + Restart = "always"; + # TODO we cannot chroot (-R) b/c we use symlinks to hosts + # and the private key. + ExecStartPre = pkgs.writeScript "retiolum-init" '' + #! /bin/sh + install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv + ''; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D"; + SyslogIdentifier = "retiolum"; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + }; + }; + + user = { + name = "retiolum"; + uid = 301281149; # genid retiolum + }; + + tinc = cfg.tincPackage; + + hosts = getAttr (typeOf cfg.hosts) { + package = cfg.hosts; + path = pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 \ + | xargs -0 cp --target-directory $out + ''; + }; + }; + + iproute = cfg.iproutePackage; + + retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" + { } + '' + generate() { + (cd ${hosts} + printf \'\' + for i in `ls`; do + names=$(hostnames $i) + for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do + names="$names $(hostnames $j)" + done + sed -En ' + s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p + ' $i + done | sort + printf \'\' + ) + } + + case ${cfg.generateEtcHosts} in + short) + hostnames() { echo "$1"; } + generate + ;; + long) + hostnames() { echo "$1.${cfg.network}"; } + generate + ;; + both) + hostnames() { echo "$1.${cfg.network} $1"; } + generate + ;; + *) + echo '""' + ;; + esac > $out + ''); + + + confDir = pkgs.runCommand "retiolum" { + # TODO text + executable = true; + preferLocalBuild = true; + } '' + set -euf + + mkdir -p $out + + ln -s ${hosts} $out/hosts + + cat > $out/tinc.conf < $out/tinc-up < changes 2>&1 || : + + if test -s changes; then + date=$(date -R) + subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ + | tr \\n \ ) + { + echo "Date: $date" + echo "From: $from" + echo "Subject: $subject" + echo "To: $mailto" + echo + cat changes + } | /var/setuid-wrappers/sendmail -t + fi + ''; + }; + }; + users.extraUsers = singleton { + inherit (user) name uid; + }; + }; + + user = { + name = "urlwatch"; + uid = 3467631196; # genid urlwatch + }; +in +out diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix new file mode 100644 index 000000000..b67585335 --- /dev/null +++ b/krebs/4lib/default.nix @@ -0,0 +1,18 @@ +{ lib, ... }: + +with builtins; +with lib; + +builtins // lib // rec { + + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; + + types = import ./types.nix { inherit lib; }; + + dns = import ./dns.nix { inherit lib; }; + listset = import ./listset.nix { inherit lib; }; + tree = import ./tree.nix { inherit lib; }; +} diff --git a/krebs/4lib/dns.nix b/krebs/4lib/dns.nix new file mode 100644 index 000000000..b2cf3c24c --- /dev/null +++ b/krebs/4lib/dns.nix @@ -0,0 +1,31 @@ +{ lib, ... }: + +let + listset = import ./listset.nix { inherit lib; }; +in + +with builtins; +with lib; + +rec { + # label = string + + # TODO does it make sense to have alias = list label? + + # split-by-provider : + # [[label]] -> tree label provider -> listset provider alias + split-by-provider = as: providers: + foldl (m: a: listset.insert (provider-of a providers) a m) {} as; + + # provider-of : alias -> tree label provider -> provider + # Note that we cannot use tree.get here, because path can be longer + # than the tree depth. + provider-of = a: + let + go = path: tree: + if typeOf tree == "string" + then tree + else go (tail path) tree.${head path}; + in + go (reverseList (splitString "." a)); +} diff --git a/krebs/4lib/listset.nix b/krebs/4lib/listset.nix new file mode 100644 index 000000000..3aae22f20 --- /dev/null +++ b/krebs/4lib/listset.nix @@ -0,0 +1,11 @@ +{ lib, ... }: + +with lib; + +rec { + # listset k v = set k [v] + + # insert : k -> v -> listset k v -> listset k v + insert = name: value: set: + set // { ${name} = set.${name} or [] ++ [value]; }; +} diff --git a/krebs/4lib/tree.nix b/krebs/4lib/tree.nix new file mode 100644 index 000000000..1cd83b3f6 --- /dev/null +++ b/krebs/4lib/tree.nix @@ -0,0 +1,13 @@ +{ lib, ... }: + +with lib; + +rec { + # tree k v = set k (either v (tree k v)) + + # get : [k] -> tree k v -> v + get = path: tree: + if length path > 0 + then get (tail path) tree.${head path} # TODO check if elem exists + else tree; +} diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix new file mode 100644 index 000000000..92410dd58 --- /dev/null +++ b/krebs/4lib/types.nix @@ -0,0 +1,109 @@ +{ lib, ... }: + +with lib; +with types; + +types // rec { + + host = submodule { + options = { + name = mkOption { + type = label; + }; + dc = mkOption { + type = label; + }; + cores = mkOption { + type = positive; + }; + nets = mkOption { + type = attrsOf net; + apply = x: assert hasAttr "retiolum" x; x; + }; + secure = mkOption { + type = bool; + default = false; + description = '' + If true, then the host is capable of keeping secret information. + + TODO define minimum requirements for secure hosts + ''; + }; + }; + }; + + net = submodule ({ config, ... }: { + options = { + via = mkOption { + type = nullOr net; + default = null; + }; + addrs = mkOption { + type = listOf addr; + apply = _: config.addrs4 ++ config.addrs6; + }; + addrs4 = mkOption { + type = listOf addr4; + default = []; + }; + addrs6 = mkOption { + type = listOf addr6; + default = []; + }; + aliases = mkOption { + # TODO nonEmptyListOf hostname + type = listOf hostname; + }; + tinc = mkOption { + type = let net-config = config; in nullOr (submodule ({ config, ... }: { + options = { + config = mkOption { + type = str; + apply = _: '' + ${optionalString (net-config.via != null) + (concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)} + ${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs} + ${config.pubkey} + ''; + }; + pubkey = mkOption { + type = str; + }; + }; + })); + default = null; + }; + }; + }); + + positive = mkOptionType { + name = "positive integer"; + check = x: isInt x && x > 0; + merge = mergeOneOption; + }; + + user = submodule { + options = { + mail = mkOption { + type = str; # TODO retiolum mail address + }; + name = mkOption { + type = str; # TODO + }; + pubkey = mkOption { + type = str; + }; + pubkeys = mkOption { + type = attrsOf str; + default = {}; + }; + }; + }; + + # TODO + addr = str; + addr4 = str; + addr6 = str; + hostname = str; + label = str; +} diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix new file mode 100644 index 000000000..231fda797 --- /dev/null +++ b/krebs/5pkgs/default.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: + +let + inherit (pkgs) callPackage; +in + +pkgs // +{ + dic = callPackage ./dic.nix {}; + genid = callPackage ./genid.nix {}; + github-hosts-sync = callPackage ./github-hosts-sync.nix {}; + github-known_hosts = callPackage ./github-known_hosts.nix {}; + hashPassword = callPackage ./hashPassword.nix {}; +} diff --git a/krebs/5pkgs/dic.nix b/krebs/5pkgs/dic.nix new file mode 100644 index 000000000..571773d22 --- /dev/null +++ b/krebs/5pkgs/dic.nix @@ -0,0 +1,36 @@ +{ stdenv, fetchgit, coreutils, curl, gnused, gnugrep, ... }: + +stdenv.mkDerivation { + name = "dic"; + + src = fetchgit { + url = https://github.com/krebscode/painload; + rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; + sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = + let + path = stdenv.lib.makeSearchPath "bin" [ + coreutils + curl + gnused + gnugrep + ]; + in + '' + mkdir -p $out/bin + + sed \ + 's,^main() {$,&\n PATH=${path}; export PATH,' \ + < ./util/bin/dic \ + > $out/bin/dic + + chmod +x $out/bin/dic + ''; +} diff --git a/krebs/5pkgs/genid.nix b/krebs/5pkgs/genid.nix new file mode 100644 index 000000000..c75bec317 --- /dev/null +++ b/krebs/5pkgs/genid.nix @@ -0,0 +1,22 @@ +{ lib, pkgs, ... }: + +pkgs.writeScriptBin "genid" '' + #! /bin/sh + # usage: genid NAME + set -euf + + export PATH=${lib.makeSearchPath "bin" (with pkgs; [ + bc + coreutils + ])} + + name=$1 + hash=$(printf %s "$name" | sha1sum | cut -d\ -f1 | tr a-f A-F) + echo " + min=2^24 # bigger than nobody and nogroup, see + # and some spare for stuff like lxd. + max=2^32 # see 2^(8*sizeof(uid_t)) + ibase=16 + ($hash + min) % max + " | bc +'' diff --git a/krebs/5pkgs/github-hosts-sync.nix b/krebs/5pkgs/github-hosts-sync.nix new file mode 100644 index 000000000..d69b2b12b --- /dev/null +++ b/krebs/5pkgs/github-hosts-sync.nix @@ -0,0 +1,40 @@ +{ stdenv, fetchgit, pkgs, ... }: + +stdenv.mkDerivation { + name = "github-hosts-sync"; + + src = fetchgit { + url = https://github.com/krebscode/painload; + rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; + sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = + let + ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; + path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ + coreutils + findutils + git + gnugrep + gnused + openssh + socat + ]); + in + '' + mkdir -p $out/bin + + sed \ + 's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \ + < ./retiolum/scripts/github_hosts_sync/hosts-sync \ + > $out/bin/github-hosts-sync + + chmod +x $out/bin/github-hosts-sync + ''; +} diff --git a/krebs/5pkgs/github-known_hosts.nix b/krebs/5pkgs/github-known_hosts.nix new file mode 100644 index 000000000..302fdd8d5 --- /dev/null +++ b/krebs/5pkgs/github-known_hosts.nix @@ -0,0 +1,13 @@ +{ lib, ... }: + +with builtins; +with lib; + +let + github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub); +in + +toFile "github-known_hosts" + (concatMapStrings + (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") + (range 0 255)) diff --git a/krebs/5pkgs/hashPassword.nix b/krebs/5pkgs/hashPassword.nix new file mode 100644 index 000000000..a10340cc4 --- /dev/null +++ b/krebs/5pkgs/hashPassword.nix @@ -0,0 +1,16 @@ +{ lib, pkgs, ... }: + +pkgs.writeScriptBin "hashPassword" '' + #! /bin/sh + # usage: hashPassword + set -euf + + export PATH=${lib.makeSearchPath "bin" (with pkgs; [ + coreutils + mkpasswd + openssl + ])} + + salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16) + exec mkpasswd -m sha-512 -S "$salt" +'' diff --git a/tv/4lib/default.nix b/tv/4lib/default.nix index e0a295f17..352689af4 100644 --- a/tv/4lib/default.nix +++ b/tv/4lib/default.nix @@ -1,7 +1,7 @@ { lib, pkgs, ... }: let - krebs = import ../../4lib/krebs { inherit lib; }; + krebs = import ../../krebs/4lib { inherit lib; }; in with krebs; diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 50625f868..7b5d10a60 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -2,10 +2,10 @@ let inherit (pkgs) callPackage; - krebs = import ../../Zpkgs/krebs { inherit pkgs; }; + kpkgs = import ../../krebs/5pkgs { inherit pkgs; }; in -krebs // { +kpkgs // { charybdis = callPackage ./charybdis {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; -- cgit v1.3.1 From fa175ca26e533b62f3afc11709ef1689647c558c Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 28 Jul 2015 22:20:59 +0200 Subject: lass: move everything to user-toplevel pt. 2 --- lass/1systems/cloudkrebs.nix | 1 + lass/1systems/mors.nix | 35 ++++++++++++++++++----------------- lass/1systems/uriel.nix | 1 + lass/2configs/base.nix | 4 ++-- lass/2configs/identity.nix | 4 +++- lass/2configs/mors/retiolum.nix | 21 --------------------- lass/2configs/new-repos.nix | 2 +- lass/2configs/retiolum.nix | 4 ++-- lass/2configs/sshkeys.nix | 2 +- lass/2configs/urxvt.nix | 4 ++-- lass/3modules/xresources.nix | 2 +- 11 files changed, 32 insertions(+), 48 deletions(-) delete mode 100644 lass/2configs/mors/retiolum.nix diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 30a7fb51c..a60024b03 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -24,6 +24,7 @@ ]; krebs.build = { + user = config.krebs.users.lass; target = "root@cloudkrebs"; host = config.krebs.hosts.cloudkrebs; deps = { diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 3519bff66..5bef56682 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -2,27 +2,28 @@ { imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/programs.nix - ../../2configs/lass/bitcoin.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/virtualbox.nix - ../../2configs/lass/elster.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/steam.nix - ../../2configs/lass/wine.nix - ../../2configs/lass/texlive.nix - ../../2configs/lass/binary-caches.nix - ../../2configs/lass/ircd.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/new-repos.nix + ../2configs/desktop-base.nix + ../2configs/programs.nix + ../2configs/bitcoin.nix + ../2configs/browsers.nix + ../2configs/games.nix + ../2configs/pass.nix + ../2configs/virtualbox.nix + ../2configs/elster.nix + ../2configs/urxvt.nix + ../2configs/steam.nix + ../2configs/wine.nix + ../2configs/texlive.nix + ../2configs/binary-caches.nix + ../2configs/ircd.nix + ../2configs/chromium-patched.nix + ../2configs/new-repos.nix #../../2configs/tv/synaptics.nix - ../../2configs/lass/retiolum.nix + ../2configs/retiolum.nix ]; krebs.build = { + user = config.krebs.users.lass; target = "root@mors"; host = config.krebs.hosts.mors; deps = { diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 8984004e1..74d995560 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -24,6 +24,7 @@ with builtins; ]; krebs.build = { + user = config.krebs.users.lass; target = "root@uriel"; host = config.krebs.hosts.uriel; deps = { diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 8d4a9c896..8379f14e4 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -3,8 +3,8 @@ with lib; { imports = [ - ../../3modules/lass/iptables.nix - ../../2configs/lass/vim.nix + ../3modules/iptables.nix + ../2configs/vim.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/lass/2configs/identity.nix b/lass/2configs/identity.nix index bfaad14d2..e712b16ac 100644 --- a/lass/2configs/identity.nix +++ b/lass/2configs/identity.nix @@ -1,7 +1,9 @@ { config, ... }: { - imports = [ ../../3modules/tv/identity.nix ]; + imports = [ + ../../tv/3modules/identity.nix + ]; tv.identity = { enable = true; search = "retiolum"; diff --git a/lass/2configs/mors/retiolum.nix b/lass/2configs/mors/retiolum.nix deleted file mode 100644 index 1148bee9c..000000000 --- a/lass/2configs/mors/retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum - ]; - - tv.retiolum = { - enable = true; - hosts = ; - privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/lass/2configs/new-repos.nix b/lass/2configs/new-repos.nix index 809091b32..64e9a7f14 100644 --- a/lass/2configs/new-repos.nix +++ b/lass/2configs/new-repos.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../tv/lib { inherit lib pkgs; }; +with import ../../tv/4lib { inherit lib pkgs; }; let out = { diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 95890f70e..b8a9cec72 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -2,8 +2,8 @@ { imports = [ - ../../3modules/lass/iptables.nix - ../../tv/configs/exim-retiolum.nix + ../3modules/iptables.nix + ../../tv/2configs/exim-retiolum.nix ]; lass.iptables = { diff --git a/lass/2configs/sshkeys.nix b/lass/2configs/sshkeys.nix index 114a2596b..f6081cf37 100644 --- a/lass/2configs/sshkeys.nix +++ b/lass/2configs/sshkeys.nix @@ -2,7 +2,7 @@ { imports = [ - ../../3modules/lass/sshkeys.nix + ../3modules/sshkeys.nix ]; config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; diff --git a/lass/2configs/urxvt.nix b/lass/2configs/urxvt.nix index a2074ba02..1358dde7a 100644 --- a/lass/2configs/urxvt.nix +++ b/lass/2configs/urxvt.nix @@ -7,8 +7,8 @@ in { imports = [ - ../../3modules/lass/urxvtd.nix - ../../3modules/lass/xresources.nix + ../3modules/urxvtd.nix + ../3modules/xresources.nix ]; services.urxvtd = { diff --git a/lass/3modules/xresources.nix b/lass/3modules/xresources.nix index 15c5b8b74..074963022 100644 --- a/lass/3modules/xresources.nix +++ b/lass/3modules/xresources.nix @@ -12,7 +12,7 @@ with lib; let - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; + inherit (import ../../tv/4lib { inherit pkgs lib; }) shell-escape; inherit (pkgs) writeScript; in -- cgit v1.3.1